VANM256.001AUS PATENT 

HIGH-RATE QUANTUM KEY DISTWBUTION SCHEME RELYING ON 
CONTINUOUSLY PHASE AND AMPLITUDE-MODULATED COHERENT LIGHT 

PULSES 

Related Applications 

[0001] This patent application takes priority from U.S. Provisional 
Application No. 60/394,330, filed on July 5, 2002, which is hereby incorporated by 
reference. 

Field of the Invention 

[0002] The present invention is related to the distribution of a random bit string 
between two authorised parties, for use as a secret key in a secure i.e., encrypted and 
authenticated commimication. 

[0003] The key distribution uses quantum carriers, typically single-photon or 
strongly attenuated pulses, for encoding the key bits. It is supplemented with classical post- 
processing algorithms, namely reconciliation and privacy amplification algorithms, in order 
to distil the secret key. 

[0004] The Heisenberg uncertainty principle of quantum mechanics, together 
with the use of a privacy ampUfication protocol, guarantees that an unauthorised third party 
(any eavesdropper) cannot gain any information on the secret key. 

State of the Art 

[0005] Quantum key distribution (QKD), usually known as quantum 
cryptography, is presently the most advanced appUcation of quantum communication. QKD 
has been proposed in 1984 by C. H. Bennett and G. Brassard as a technique for distributing a 
secret key, i.e., a random bit string, between two authorised parties that relies on quantum 
mechanics. This secret key, also called symmetric key, can then be used by the parties to 
transmit a confidential message by use of a standard cryptographic method such as the 
Vemam code, which is unconditionally secure. It can also be used to authenticate the 
communication, i.e., distinguish legitimate messages from fake ones. 
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10006] Quantum key distribution requires a quantum channel supplemented with 
a (classical) authenticated public channel. Typically, a sequence of light pulses is sent in the 
quantum channel, encoding each a key bit. The quantum properties of light, in particular the 
Heisenberg uncertainty principle, ensure that no mformation can be gained on these key bits 
without disturbing the quantum state of the photons. Public communications over the 
classical channel are then used to estimate the maximum amount of information that a 
potential eavesdropper may have acquired, and distil a secret key out of the raw data. 

[0007] Several practical schemes for quantum key distribution have been 
proposed and implemented over the last ten years. The present state-of-the-art quantum 
cryptographic schemes make use of a binary encoding of the key using ideally single-photon 
states, or, in practice, very faint coherent states containing on average a fraction of a photon 
per pulse. The secret key rate is limited due to the need for photon-counting detectors, which 
have a relatively low maximum repetition frequency in order to keep the detector's afterpulse 
probability negUgible. In addition, the range over which the security is guaranteed is limited 
by a threshold on the quantum bit error rate, which is reached above a certain attenuation 
(beyond a certain range) as a consequence of the detector's dark counts. A review of quantum 
cryptography can be found in ref ^ 

[0008] Another potential implementation of QKD that was raised very recently 
consists in using quantum continuous variables (QCV)^^ such as the electric field 
amplitudes, to obtain possibly more efficient alternatives to usual photon-counting QKD 
techniques. 

[0009] Many recent proposals^"'® to use QCV for QKD have been made that are 
based on the use of "non-classical" light beams, namely squeezed Hght or entangled light 
beams ("EPR beams"), hi contrast, embodiments of the present invention discuss the use of 
"quasi-classical" (coherent) Ught beams. U.S. Patent No. 5,515,438, hereby incorporated by 
reference, describes a quantum key distribution using non-orthogonal macroscopic signals. 
Summarv of Certain Aspects of the Invention 

[0010] Embodiments of the present invention are a potential aUemative to the 
usual single-photon quantum cryptographic techniques devised so far. Key carriers used are 
quasi-classical (coherent) light pulses that contain many photons and are continuously 
modulated in amplitude and phase''. The continuous raw data is then converted into a usable 
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binary key using a continuous reconciliation protocol^'^l In contrast to previous proposals, 
this shows that there is no need for squeezed light in the context of QCV QKD: an equivalent 
level of security may be obtained simply by generating and transmitting continuous 
distributions of coherent states, an easier task compared to generating squeezed states or 
single-photon states. 

[0011] More specifically, embodiments of the present invention distribute secret 
keys at a high rate over long distances. A protocol uses shot-noise limited coherent 
(homodyne) detection, which works at much higher repetition firequencies than single-photon 
detectors, so that high secret-bit rates can indeed be achieved. It remains, in principle, secure 
for very lossy transmission lines by use of a reverse reconciliation algorithm, so it may 
therefore be used over long distances. 

[0012] One further goal of the invention is to demonstrate the practicability of the 
QCV QKD protocol when using Gaussian-modulated coherent states that are laser pulses 
containing several photons. The scope of the invention is not restricted to Gaussian 
distributions (other continuous distributions may be used as well) but this makes the 
demonstration easier. Embodiments of the invention cover the security analysis of the 
protocol and a proof-of-principle experimental implementation, followed by the complete 
secret key extraction, including data reconciliation and privacy amplification. The tested set- 
up yields a secret key rate of approximately 1.7 Mbps for a lossless line and of 75 kbps for a 
3.1 dB line. 

[0013] Embodiments of this invention describe the distribution of a secret key 
between two remote parties by use of quantum coherent states, e.g., attenuated laser pulses, 
that are continuously modulated in phase and amplitude. Coherent (homodyne) detection is 
then performed by the receiver in order to measure the quadrature components of these 
states. 

[0014] One protocol anbodiment of the invention ensures that the information a 
potential eavesdropper may gain at most can be estimated from the measured parameters 
characterising the channel (line attenuation and error rate). Using an authenticated public 
(classical) channel, the resulting raw data (partly correlated continuous variables) can be 
converted into a secret binary key by using a (direct or reverse) reconciliation protocol 
supplemented with privacy amplification. The resulting key can then be used as a private key 
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in order to ensure the confidentiality and/or authentication of a transmission using standard 
cryptographic techniques. 

[0015] Aspects of the quantum continuous-variable cryptographic scheme include 
the continuous distribution of coherent states. This is in contrast with all other schemes, 
which rely on a binary encoding. Here, the encoding of continuous variables into the 
quadrature components of a coherent state makes it possible to encode several key bits per 
coherent pulse. Also, the use of homodyne detection techniques to measure the quadrature 
components of the light field allows this scheme to work at high fi-equencies by comparison 
with photon-counting techniques. 

[0016] Other aspects of the scheme include the use of a continuous reconciUation 
protocol in order to convert the raw key resulting from the first item into a usable binary key. 
A direct or reverse reconciliation protocol may be used depending on the line parameters. For 
lines with an attenuation that exceeds 3 dB, reverse reconciliation must be used in order to 
ensure the security. There is, in principle, no limit on the achievable range using reverse 
reconciliation, but practical considerations (noise in the apparatuses, in particular in the 
coherent detection system, non-unity efficiency of the reconciUation protocols) put a limit on 
the range over which the key can be securely distributed. For very noisy lines with low 
losses, direct reconciliation is preferred. 

[0017] In one embodiment of the present invention there is a quantum cryptographic 
system, comprising at least one sending imit comprising an encoder and distributing a raw key 
in the quadrature components of quantum coherent states that are continuously modulated in 
phase and amplitude; at least one receiving unit comprising a homodyne detector of the 
quantum coherent states in order to measure the quadrature cojnponents of the states; a 
quantum channel for connecting the sending unit to the receiving unit; and a two-way 
authenticated pubUc channel for transmitting non-secret messages between the sending unit 
and the receiving unit. 

[0018] According to one embodiment, the quantum cryptographic system fiirther 
comprises a continuous-variable quantum key distribution protocol ensuring that the amount 
of information a potential eavesdropper may gain at most on the sent and received data can 
be estimated from the measured parameters of the quantum channel (error rate and line 
attenuation). 
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[0019] The sent arid received raw data resulting from the continuous-variable 
protocol are converted into a secret binary key by using a continuous reconciliation protocol 
supplemented with privacy amplification. 

[0020] According to one embodiment, the encoder of the quadrature components 
with a high signal-to-noise ratio encodes several key bits per coherent light pulse. 

[0021] According to another embodiment, the decoding of the quadrature 
components of the light field via the homodyne detector achieves high secret bit rates in 
comparison to photon-counting techniques. 

[0022] In case of noisy quantum channels with low losses, the continuous 
reconciUation protocol is a direct reconciliation protocol, which allows the receiver to 
discretize and correct its data according to the sent values. 

[0023] In case of quantum channels with an attenuation that exceeds 3 dB, the 
continuous reconciliation protocol is a reverse reconciliation protocol, which allows the 
sending unit to discretize and correct its data according to the values measured by the 
receiver. 

[0024] The key secret can be used as a private key for ensuring confidentiality 
and authentication of a cryptographic transmission. 

[0025] According to one embodiment, the quadrature components of the quantum 
coherent states are modulated with a Gaussian distribution, the coordinate values of the 
center of the Gaussian distribution being arbitrary. 

[0026] According to another embodiment, the variance of the Gaussian 
distribution for the quadrature X is different from the variance of the Gaussian distribution 
for the conjugate quadrature P. 

[0027] According to another embodiment, the Gaussian-modulated coherent sates 
are attenuated laser light pulses typically containing several photons. 

[0028] The information, an eavesdropper may gain on the sent and received 
Gaussian-distributed values, can be calculated explicitly using Shannon's theory for 
Gaussian channels. 

[0029] In another embodiment of the present invention there is a method of 

distributing continuous quantum key between two parties which are a sender and a receiver, 
the method comprising selecting, at a sender, two random numbers xa and Pa from a 
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Gaussian distribution of mean zero and variance VaNo, where No refers to the shot-noise 
variance; sending a corresponding coherent state |xA+ipA> in the quantum channel; randomly 
choosing, at a receiver, to measure either quadrature x or p using homodyne detection; 
informing the sender about the quadrature that was measured so the sender may discard the 
wrong one; measuring channel parameters on a random subset of the sender's and receiver's 
data, in order to evaluate the maximum information acquired by an eavesdropper; and 
converting the resulting raw key in the form of a set of correlated Gaussian variables into a 
binary secret key comprising direct or reverse reconciliation in order to correct the errors and 
get a binary key, and privacy amplification in order to make secret the binary key. 

[0030] The reconciliation can produce a common bit string firom correlated 
continuous data, which comprises the following: transformmg each Gaussian key element of 
a block of size n by the sender into a string of m bits, giving m bit strings of length n, 
referred to as slices; converting, by the receiver, the measured key elements into binary 
strings by using a set of sUce estimators; and sequentially reconciliating the slices by using 
an implementation of a binary error correction algorithm, and communicating on the public 
authenticated channel. 

[00311 The post-processing of privacy amplification can comprise distilling a 
secret key out of the reconciliated key by use of a random transformation taken in a universal 
class of hash functions. 

[0032] Informing the sender can comprise utilizing a public authenticated channel 
by the receiver to inform the sender. The channel parameters can include an error rate and a 
line attenuation. 

[0033] In another embodiment of the present invention there is a device for 
implementing a continuous-variable quantum key exchange, the device comprising a light 
source or a source of electromagnetic signals configured to generate short quantum coherent 
pulses at a high repetition rate; an optical component configured to modulate the amplitude 
and phase of the pulses at a high fi-equency; a quantum channel configured to transmit the 
pulses fi-om an emitter to a receiver; a system that permits the transmission of a local 
oscillator from the emitter to the receiver; a homodyne detector capable of measuring, at a 
high acquisition frequency, any quadrature component of the electromagnetic field collected 
at the receiver's station; a two-way authenticated pubUc channel that is used to 
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communicating non-secret messages in postprocessing protocols; and a computer at the 
emitter's and receiver's stations that drives or reads the optical components and runs the 
postprocessing protocols. 

[0034] Altematively, a local oscillator can be transmitted together with the signal 
by use of a polarization encoding system whereby each pulse comprises a strong local 
oscillator pulse and a weak orthogonally-polarized signal pulse with modulated amplitude 
and phase. 

[0035] If polarization encoding is used, the receiving system relies on 
polarization-mode homodyne detection requiring a quarter-wave plate and a polarizing beam 
splitter. 

[0036] M another embodiment of the present invention, there is a device for 
exchanging Gaussian key elements between two parties which are a sender and a receiver, 
the device comprising a laser diode associated with a grating-extended external cavity, the 
laser diode configured to send Ught pulses at a high repetition rate, each pulse typically 
containing several photons; an integrated electro-optic amplitude modulator and a 
piezoelectric phase modulator, configured to generate randomly-modulated light pulses, the 
data being organized in bursts of pulses; a beam-splitter to separate the quantum signal fix)m 
a local oscillator; and a homodyne detector combining the quantum signal and local oscillator 
pulses in order to measure one of the two quadrature components of the light field. 

[0037] The device may further comprise an acquisition board and a computer on 
the sender's and receiver's sides in order to run the post-processing protocols described here 
above. 

[0038] The laser can operate at a wavelength comprised between about 700 and 
about 1600 nm, or the laser can operate at a wavelength comprising telecom wavelengths 
between about 1540 and 1580 nm. 

[0039] The device may additionally comprise means for selecting, at the emitter, 
two random numbers xa and pA fi"om a Gaussian distribution of mean zero and variance 
VaNo, where No refers to the shot-noise variance; means for sending a corresponding 
coherent state |xA+ipA> in the quantum channel; means for randomly choosing, at the 
receiver, to measure either quadrature x or p using homodyne detection; means for informing 
the emitter about the quadrature that was measured so the emitter may discard the wrong one; 
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means for measuring channel parameters on a random subset of the emitter's and receiver's 
data, in order to evaluate the maximum information acquired by an eavesdropper; and means 
for converting the resulting raw key m the form of a set of correlated Gaussian variables into 
a binary secret key comprising direct or reverse reconciliation in order to correct the errors 
and get a binary key, and privacy ampUfication in order to make secret the binary key. 

Brief Description of the Drawings 

[0040] FIG. 1 is a diagram of one configuration of components demonstrating 
embodiments of the present invention. 

[0041] FIG. 2 is a diagram representing Bob's measured values of the quadrature 
component as a fimction of Alice's sent values (in Bob's measurement basis) for a burst of 
60,000 pulses exchanged between Alice and Bob in the configuration shown in Figure 1. 

[0042] FIG. 3. is a diagram representing the channel equivalent noise x as a 
function of the channel transmission G, adjusted using a variable attenuator on the signal 
line. 

[0043] FIG. 4 is a diagram representing the values of Iba (increasing curve), Iae 
(decreasing curve), Ibe (inverse U-shaped curve) as a function of the channel transmission G 
forV«40. 

Description of Certain Embodiments of the Present Invention 

[0044] One realisation of this quantum cryptographic scheme consists in 
modulating the quadrature components of coherent light pulses with a Gaussian distribution. 
The corresponding protocol is demonstrated in what follows. Dealing with Gaussian 
distributions makes the security of the entire protocol easier to analyse, but the scope of the 
present invention is not limited to such random distributions. Alternative continuous 
distributions may be used as well Other improvements of the present mvention can be 
foreseen, such as the use of more efficient reconciUation protocols that may potentially 
increase the achievable range. 

[0045] The protocol described herein works by continuously modulating the 
phase and amplitude of coherent light pulses and measuring the quadrature components of 
the received coherent states. This clearly gives very important practical advantages to such a 
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protocol, in view of the simplicity of the techniques needed to preparing and detecting 
coherent states. In particular, the high dimensionality of the phase space may be exploited by 
modulating the phase and amplitude quadratures with a large dynamics, allowing the 
encoding of several key bits per pulse. This, together with the fact that fast modulation and 
detection can be achieved, results in a high-rate secret key distribution. 

[0046] This protocol, supplemented with a direct reconciliation scheme, can be 
shown to be secure provided that the transmission of the line is larger than 50%, i.e., the 
transmission loss is less than 3 dfi". This is in accordance with the fact that QKD 
fundamentally reUes on the use of non-orthogonal states only and may perfectly well work 
with macroscopic signals instead of single photons (see patent US5515438). The security of 
the protocol is related to the no-cloning theorem'^''", and non-classical features like 
squeezing or EPR correlations have no influence on the achievable secret key rate. The 3 dB 
loss limit of these protocols makes the security demonstration quite intuitive, but there may 
exist in principle multiple ways for two user/partners, e.g., Alice and Bob, to go beyond this 
hmit, for instance by using QCV entanglement purification*^ 

[00471 The concept of reverse reconciliation, detailed below, is an efficient 
technique to cross this 3 dB limit that does not require the generation and purification of 
entanglement, but only a modified classical post-processing. The corresponding coherent- 
state protocol can, in principle, be seciu-e for any value of the line transmission' There is 
therefore no theoretical limit on the achievable range over which security can be guaranteed. 
In addition, it can be shown that the cryptographic security is strongly linked with 
entanglement, even though tiie protocol does not rely on entanglement. 

[0048] Referring to FIG. 1, a configuration of components demonstrating 
embodiments of the present invention will be described. The components are partitioned into 
exemplary use by two users, Alice and Bob. The components include the following: Laser 
diode 102: e.g., SDL 5412 lasing at 780nm; 01 104: e.g., optical isolator; XI2 106: e.g., half- 
wave plate; AOM 108: e.g., acousto-optic modulator; MF 110: e.g., polarization maintaining 
monomode fibre; OD 112: e.g., optical density (attenuator); EOM 114: e.g., integrated 
LiNbOa electro-optic amplitude modulator; PBS 116: e.g., polarizing beam spUtter; BS 118: 
e.g., beam splitter inducing variable attenuation; and PZT 120: e.g., piezo-electric 
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transductor. The lenses are marked with a "f * followed by their focal lengths in millimeters. 
R and T are reflection and transmission coefficients. 

[0049] The basic idea behind reverse reconciliation is to interchange the roles of 
Alice and Bob when converting the measured data into a conmion binary key, that is, Alice 
attempts to guess what was received by Bob rather than Bob guessing what was sent by 
Alice, Consequently, AHce always has an advantage over a potential eavesdropper, Eve, as 
the latter only has a noisy estimate of Alice's data at their disposal in order to guess Bob's 
data. This is, roughly speaking, the mechanism that ensures the security of these new 
protocols. 

[0050] In the description below, the concept of coherent-state QKD supplemented 
with reverse reconciliation is introduced and then an individual attack using an entangling 
doner is described. An explicit expression of the maximum achievable secret key rate is 
deduced. A table-top experiment that generates streams of data corresponding to the protocol 
will be described. Although Alice and Bob are not fully separated in the present 
implementation, the data are created by the same physical process and thus have the same 
structure as they would have in a real cryptographic exchange. Explicitly how to process the 
experimental data to extract the secret key will be demonstrated, that is, reverse 
reconciliation and privacy amplification protocols is performed. Finally, a quantitative 
evaluation of the expected performances of the scheme in a reaUstic key exchange is given. 

Coherent-State Quantum Kev Exchange and Reconciliation Protocols 

[0051] In a QKD protocol such as BB84, Alice and Bob randomly choose one out 
of two complementary bases for respectively preparing and measuring a quantum signal, so 
their data are significant only when their bases are compatible. After this quantum exchange, 
they thus have to agree on a common basis and discard the wrong measurements. According 
to the present invention, we make use of a coherent-state protocol that extends this principle 
to QCV and runs as follows^ ^ First, Alice draws two random numbers xa and pA from a 
Gaussian distribution of mean zero and variance VaNq, where No denotes the shot-noise 
variance, and then she sends to Bob the coherent state |xA+ipA>. Next, Bob raiidomly chooses 
to measure either the quadrature x or p. Then, using a public authenticated channel, he 
informs Alice about the quadrature that he measured so she may discard the wrong one. After 
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running this protocol several times, Alice and Bob (and possibly the eavesdropper Eve) share 
a raw key, that is, a set of correlated Gaussian variables that are called key elements. After 
this quantum exchange, Alice and Bob must convert this raw key into a binary secret key by 
proceeding with the various steps described below including channel evaluation, direct or 
reverse reconciUation (to correct the errors and make the key binary), and privacy 
amplification (to make the key secret). 

Channel Evaluation 

[0052] First, Alice and Bob openly compare a sample of their key elements over 
the classical public channel in order to evaluate the error rate and transmission efficiency of 
the quantum channel. The sacrificed key elements must be chosen randomly and uniformly, 
so that they are representative of the whole sequence, and are unknown in advance to Eve. 
Knowing the correlations between their key elements, Alice and Bob can then evaluate the 
amount of information they share (Iab) as well as the information that Eve can have about 
their values (Iae and Ibe). 

[0053] The esthnated amount of eavesdropped information has some significance 
later on, in the privacy amplification procedure, when Eve's knowledge is destroyed. Indeed, 
it is known that Alice and Bob can in principle distil a secret key with a size S > sup(Iab-Iae , 
Iab-Ibe) bits per key element^"^. Thus, if S > 0, they can extract a common key fi-om their 
correlated key elements by performing one-way classical communication over a public 
authenticated channel, revealing as little information as possible to Eve. There are actually 
two main options for doing this key extraction that are closely related to the above expression 
for S, namely performing either direct or reverse reconciliation. 

Direct Reconciliation (PR) 

[0054] Alice publicly sends correction information, revealing R bits, so Bob 
corrects his key elements to have the same values as Alice. At the end of this step, Alice and 
Bob have a common bit string of length Iab+R, and Eve knows Iae+R bits of this string 
(slightly more if the reconciliation protocol is not perfect). Therefore Alice and Bob get a 
useable secret key if (Iab-Iae) > 0 at the beginning. We call this "direct reconcihation" (DR) 
because the classical information flow has the same direction as the initial quantum 
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information flow. Direct reconciliation is quite intuitive, but it is not secure as soon as the 
quantum channel efficiency falls below 50Vo^\ It may prove useful, however, for very noisy 
low-loss quantum channels. 

Reverse Reconciliation (RR) 

[0055] Alternatively, in a reverse reconciliation protocol, Bob pubhcly sends 
correction information and Alice corrects her key elements to have the same values as Bob. 
Since Bob gives the correction information, this reconciliation keeps (Iab-Ibe) constant, and 
provides a useable key if (Iab-Ibe) > 0. We call this "reverse reconciUation" (RR) because 
Ahce needs to estimate what will be measured by Bob. Such a procedure is actually closer, in 
spirit, to single-photon QKD as there Bob simply communicates to Alice tiie time slots where 
he did not detect a photon (Alice thus reconciliates her data with Bob's measured values). 

Privacv Amplification 

[0056] The last step of a practical QKD protocol consists in Alice and Bob 
performing privacy amplification to filter out Eve*s information. This can be done by 
properly mixing the reconciliated bits so as to spread Eve's uncertainty over the entire final 
key as described above. This procedure requires having an estimate of the amount of 
information collected by Eve on the reconciUated key, so we need to have a bound on Iae for 
DR or on Ibe for RR. In addition, Alice and Bob must keep track of the number of bits 
exchanged pubUcly during reconciUation since Eve might have monitored them. This 
knowledge is destroyed at the end of the privacy ampUfication procedure, reducing the key 
length by the same amount. For a coherent state protocol, the DR bound on Iae given in 
leads to a security limit for a 50% line transmission as mentioned above. The RR bound on 
Ibe, is now estabUshed and shown that it is not associated with a minimum value of the line 
transmission. 

Eavesdropping Strategy Based on an Entangling doner 

[0057] In order to eavesdrop a reverse reconciliation scheme, Eve needs to guess 
the result of Bob's measurement without superimposing too much noise on Bob's data. We 
will call "entangling doner" ^^'^^ a system allowing her to do so. Such a doner creates two 
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quantum-correlated copies of Alice's quantum state, so Eve simply keeps one of them and 
sends the other one to Bob. Let (Xin, pin) be the input field quadratures of the entangling 
doner, and (xb,Pb), (xe,Pe) the quadratures of Bob's and Eve's output fields. To be safe, 
Alice and Bob must assume Eve uses the best possible entangling doner knowing Alice- 
Bob's channel quality: Eve's doner should minimise the conditional variances^^^^ V(xb|xe) 
and V(pb|Pe), i.e., the variance of Eve's estimates of Bob's field quadratures (xb,Pb). As 
described above, these variances are constrained by Heisenberg-type relations, which limit 
what can be obtained by Eve, 

V(xb|xa)V(pb|pe)>No' and V(pb|pa)V(xb|xe) ^ No' (1) 
[0058] where V(xb|xa) and V(pb|Pa) denote Alice's conditional variances. This 
means that Alice and Eve cannot jointly know more about Bob's conjugate quadratures than 
allowed by the Heisenberg principle, even if they conspire together. As we shall see, Alice's 
conditional variances can be bounded by using the measured parameters of the quantum 
channel, which in turn makes it possible to bound Eve's variance. Here, the channel is 
described by the linearized relations Xb = VGx(xin+Bx) and pb = VGp(pin+Bp), with <Xin'> = 
<Pin'> = VNo > No, <Bx,p'> = Xx,pNo, and <XinBx> = <pinBp> = 0. The quantities Xx, Xp 
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represent the channel noises referred to its input, also called equivalent input noises " , 
while Gx, Gp are the channel gains for x and p (Gx,p < 1 for a lossy transmission line), and V 
is the variance of Alice's field quadratures in shot-noise units (V=Va+1). 

[0059] Now comes the crucial point of the demonstration. The output-output 
correlations of the entangling doner, described by V(xb|xe) and V(pb|pe), should only depend 
on the density matrix Din of the field (xin,pin) at its input, and not on the way Alice produced 
this field namely whether it is a Gaussian mixture of coherent states or one of two EPR- 
correlated beams. Inequalities (1) thus have to be fiilfiUed for every physically allowed 
values of V(xb|xa) and V(pb|Pa) given Din. If we look for a bound to Eve's knowledge by 
using (1), we have thus to use the smallest possible value for V(xb|xa) and V(pb|Pa) given 
Din. hi particular, we must assume that Alice uses EPR beams to maximise her knowledge of 
Bob's results, even though she does not do so in practice. The two-mode squeezing (or 
entanglement) that Alice may use is, however, bounded by the variance of her field V, which 
in tum impUes a limit on how well Alice can know Bob's signal as described above: 

V(pb|pa)>Gp(Xp+V^)No and V(xb|xa) > Gx(Xx+V^)No (2) 
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[0060] These lower bounds may be compared with the actual values if Alice 
sends coherent states, that is, V(xB|xA)coh = Gx(Xx +1) No and V(pB|pA)coh = Gp(Xp+l) Nq. 
Nevertheless, if we look for an upper bound on Eve's knowledge by using (1), we need to use 
the pessimistic limits given by (2), which implies 

V(xb|xe)>No/{Gp(Xp+V^)} and V(pb|pe)>No/{Gx(XxW)} (3) 
[0061] It is worthwhile asking whether Eve can reach these bounds. In a practical 
QKD scheme, Alice and Bob will give the same roles to x and p, and Bob will randomly 
choose one of them, as explained above. Assuming therefore that Gx = Gp = G and Xx - Xp = 
X, the two bounds of (3) reduce to V(B1E) > No/fGCx+V"^)}. An entangling doner achieving 
this limit can be sketched as follows. Eve uses a beamsphtter with a transmission G < 1 to 
spUt up a part of the signal transmitted from Alice to Bob, and she injects into the other input 
port a field Em that will induce a noise with the appropriate variance at Bob's end. In order to 
fully control this field Em, Eve will inject one of two EPR-correlated beams, and she will 
keep the second one until Alice and Bob have revealed their bases. This ensures Eve is 
maximally entangled with Bob's field, compatible with the noise observed by Bob (this is an 
"entangling" attack). A straightforward calculation^^ shows that such an entangling doner 
does reach the lower limit of (3). 

Securitv Condition and Secret Bit Rate for a Reverse Reconciliation Protocol 

[0062] In a reverse quantum cryptography protocol, Eve's ability to infer Bob's 
measurement is limited by the inequalities (3) and one must assume that a "perfect" Eve is 
able to reach these limits. In order to estimate the limits on information rates, we use 
Shannon's theory for Gaussian additive-noise channels (Shannon). The information shared 
by Alice and Bob is given by the decrease of Bob's field entropy that comes with the 
knowledge of Alice's field, i.e., Iab=H(B)-H(B|A). For a Gaussian distribution, the entropy is 
given, up to a constant, by H(B)=(l/2) log2(VB) bits per symbol, where Vb is the variance. 
For simplicity, we assume here that the channel gains and noises, and the signal variances are 
the same for x and p. In practice, deviations from this should be estimated by statistical tests). 
Thus, according to Shannon's fomiula, the information rates Iba and Ibe are given by: 
Iba = (l/2)log2[VB/(VB^)coh]Kl/2)log2[(V+x)/(l+^^^ (4a) 
Ibe = (l/2)log2[VB/(VB|E)min]Kl/2)log2[G'(V+x)(V-^+X)] (4b) 
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where Vb = <xb^> = <Pb^> = G(V-fx)No is Bob's variance, (VbieW = V(xB|xE)min = 
V(pB|PE)min = No/{G(x+V'*)} is Eve's minimum conditional variance, and (VB|A)coh = 
V(xB|xA)coh = V(pB|pA)coh = G(x+l)No is Alice's conditional variance for a coherent-state 
protocol. The secret information rate for such a reverse reconciliation protocol is thus^^'^^ 

AIrr =Iba-Ibe = -(l/2)log2[G'(Hx)(V"^+x)] (5) 
and the security is guaranteed (AI>0) provided that G^(H-x) (V"^+x) < 1. For a direct 
reconciliation protocol, a similar calculation gives AIdr = Iab-Iae = (l/2)log2[(V+xy(l"^ 
Vx)] so the security is guaranteed if The equivalent input noise % includes two 
contributions: one is the 'Vacuum noise" due to the losses along the line, given by Xvac = (1- 
G)/G. The noise above vacuimi noise, which we call "excess noise", is defined as e = X-Xvac = 
X -(1-G)/G. In the limit of high losses (G « 1) one has AIrr « -(l/2)log2[l+G(28+V^-l)], 
and thus the protocol will be secure provided that e < (V-1)/(2V) 1/2, Therefore RR may 
indeed be secure for any value of the line transmission G provided that the amount of excess 
noise s is not too large. This is an important difference with DR, which may tolerate large 
excess noise but requires low line losses since we have the conditions G > 1/2 and 8 < (2G- 
1)/G. 

[0063] It should be emphasised that squeezing and entanglement do play a crucial 
role in the security demonstration, even though we deal with a coherent state protocol. This is 
because the bound on Iba is obtained by assuming that Alice may use squeezed or entangled 
beams, and the bound on Ibe can be achieved only if Eve uses an entangling attack. 
Therefore, though we did not consider the most general situation of a collective and/or non- 
Gaussian attack on the whole key exchange between Alice and Bob, we can reasonably 
conjecture that the security proof encompasses all eavesdropping strategies. 

Detailed Description of an Experimental Optical Set-Up 

[0064] In order to exchange correlated sets of Gaussian variables with Bob, Alice 
sends randomly modulated Ught pulses of 120 ns duration at a 800 kHz repetition rate. Each 
pulse contains up to 250 photons, and Bob performs an homodyne measurement of either x 

n 

or p, using local oscillator (LO) pulses, containing about 10 photons, that are also 
transmitted to him. One configuration of an experimental set-up^^ is shown on FIG. 1. The 
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channel losses are simulated by inserting a variable attenuator between Alice and Bob. FIG. 2 
shows a data burst of 60,000 pulses measured by Bob, as a function of the amplitude sent by 
Alice in Bob's measurement basis. The line transmission is 100% and the modulation 
variance is V = 41.7. The solid line is the theoretical prediction (slope equal to one), and the 
insert shows the corresponding histograms of Alice's (gray curve) and Bob's (black curve) 
data. 

[0065] The laser source consists of a commercially available CW laser diode 
(SDL 5412) at 780nm associated with an acousto-optic modulator, that is used to chop pulses 
with a duration 120 ns (full width half-maximum), at a repetition rate 800 kHz. In order to 
reduce excess noise, a grating-extended extemal cavity is used, and the beam is spatially 
filtered using a polarisation maintaining single mode fibre. Light pulses are then split onto a 
10% reflecting beam-splitter, one beam being the local oscillator (LO), the other Alice's 
signal beam. The data is organised in bursts of 60000 pulses, separated by time periods that 
are used to lock the phase of the LO and sequences of pulses to synchronise the parties. In 
the present experiment, there is a burst every 1.6 seconds, which corresponds to a duty cycle 
of about 5%, but this should be easy to improve. 

[0066] The desired coherent state distribution is generated by Alice by 
modulating randomly both the amplitude and phase of the light pulses with the appropriate 
probability law. In the present experiment, the amplitude of each pulse is arbitrarily 
modulated at the nominal 800 kHz rate. However, due to the unavailability of a fast phase 
modulator at 780 nm, the phase is not randomly modulated but scanned continuously fi^om 0 
to 2n using a piezoelectric modulator. For such a determinist phase variation, the security of 
the protocol is of course not warranted and thus no genuine secret key can be distributed. 
However, the experiment provides realistic data, that will have exactly the awaited structure 
provided that random phase permutation on Bob's data are performed. The amplitude 
modulator is an integrated electro-optic LiNbOa Mach-Zehnder interferometer, allowing for 
small voltages inputs (Vn = 2.5V) at 780nm. All voltages for the electro-optic modulator or 
the piezoelectric transductor are generated by an acquisition board (National Instruments 
PCI6111E) connected to a computer. Though all discussions assume the modulation to be 
continuous, digitised voltages are obviously used in practice. With the experimental 
parameters, a resolution of 8 bits is enough to hide the amplitude or phase steps under shot 
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noise. Since the modulation voltage is produced using a 16 bits converter, and the data is 
digitised over 12 bits, we may fairly assume the modulation to be continuous. Due to an 
imbalance between the paths of the mterferometer, the modulator extinction is not strictly 
zero. In the present experiment that is only aimed at a proof of principle, the offset field firom 
the data received by Bob is subtracted. In a real cryptographic transmission, the offset field 
should be compensated by AUce, either by adding a zeroing field, or by using a better 
modulator. For each incoming pulse, either the x or p signal quadrature is measured by 
appropriate switching of the LO phase. The homodyne detection was checked to be shot- 
noise hmited for LO power up to 5x10* photons/pulse. The overall homodyne detection 
efficiency is 0.76, due to the optical transmission (0.9), the mode-matching efficiency (0.92) 
and the photodiode quantum efficiency (0.92). 

[0067] The experiment is thus carried out in such a way that all useful 
parameters - such as photon numbers, signal to noise ratios, added noises, information rate, 
etc. - can be measured experimentally. ReconciUation and privacy ampUfication protocols 
can thus be performed in realistic - though not fiiUy secret - conditions. The limitations of 
the present set-up are essentially due to the lack of appropriate fast amplitude and phase 
modulator at 780 ran. This should be easily solved by operating at telecom wavelengths 
(1540-1580 ran) where such equipment is readily available. 

[00681 Referring to FIG. 3, the curve is the theoretical prediction Xvac = (1-G)/G. 
The error bars include two contributions witti approximately the same size, from statistics 
(evaluated over bursts of 60,000 pulses) and systematics (calibration errors and drift). After 
the quantum exchange, AUce and Bob evaluate the total added noise by calculating the 
variance of the difference between their respective values. This variance has four 
contiibutions: the shot noise No, the channel noise xNo, the electronics noise of Bob's 
detector (Nei =0.26No), and the noise due to imperfect homodyne detection efficiency (Nhom 
=0.32No). In tiie absence of line losses, the measured x is (0.01±0.04), while it is expected to 
be zero. This is attributed to various calibration errors and drifts in the set-up, and gives an 
idea of the experimental uncertainty in the evaluation of the channel noise. In presence of 
line losses, the measured x increases as (1-G)/G as expected, see FIG. 3. 

[0069] Referring to FIG. 4, the value of Ibe is calculated by assummg that Eve 
cannot know the noises Nei and Nhom, which are intemal to Bob's detector. This corresponds 
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to a "realistic'' hypothesis, where the noise of Bob's detector is not controlled by Eve. The 
theoretical value of Iae is also plotted in order to compare RR with DR. 

[0070] The detection noises Nd and Nhom originate from Bob's detection system 
only, so one may reasonably assume that they do not contribute to Eve's knowledge. In this 
"reahstic" approach, Ibe is given by Eq.(4b) with % being the channel noise (i.e., subtracting 
the detection noises). In FIG. 4, Ibe is plotted together with the value of Iba as given by Eq. 
(4a), where x is now the total equivalent noise including both transmission and detection. 
The difference between these two curves gives the achievable secret key rate in reverse 
reconciliation AIrr as a function of the line transmission G. We also show Alice-Eve 
information Iae = (l/2)log2[(V+x'^)/(lx"^)], corresponding to a direct reconciUation 
protocol^ \ with x being the channel noise. The comparison of the DR and RR protocols is 
straightforward by looking at FIG. 4. 

Computer Simulation of the Secret Kev Distillation 

[0071] One aspect in the protocol is to design a (direct or reverse) reconciUation 
algorithm that can efficiently extract a binary common key from the measured data. A 
computer program that performs the various steps of secret key distillation described above, 
namely channel evaluation, reconciliation, and privacy ampUfication^^ was written. Under the 
scope of this "proof-of-principle" experiment, Alice and Bob are simulated on the same 
computer, although it poses no fundamental problem to make them remotely communicate 
over a network. This would require the use of a classical public authenticated channel in 
addition to the quantum channel. The designed program accepts as input the sequences of 
Alice's sent values and Bob's measurement outcomes, and produces a secret key as detailed 
below. First, Alice's and Bob's key elements are compared in order to measure the relevant 
parameters of the quantum channel, namely the overall transmission G and added noise x- 
The estimation of Eve's knowledge is based on Eq.(4), that gives a bound on Ibe once G and 
X are known to Alice and Bob. Then, a reconciliation algorithm is performed, with as few 
leaked bits to Eve as possible. Protocols based on discrete quantum states such as BB84^^ can 
use a discrete reconciUation protocol, for example Cascade^ ^ In contrast, since continuoxis 
key elements are produced here, we instead needed to develop a "sUced" reconciUation 
algorithm^'^^, which produces a common bit string from correlated continuous key elements 
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as described above. Finally, we carry out privacy amplification in such a way that, loosely 
speaking, every bit of the final key is a function of most if not all of the reconciliated bits. 
Following^^"^^ we can reduce the size of the key by (nlBE+r+A(n)) bits, where r indicates the 
public information leaked during the reconciliation of the sequence of size n, and A(n) is an 
extra security margin as described above. This follows jfrom the assumption that Eve can 
only use individual attacks, so that we can consider key elements and eavesdropping as 
independent repetitions of identical random processes. 

Demonstration of Relevant Heisenberg Relations 

[0072] Let us consider the situation where AUce tries to evaluate xb, and Eve tries 
to evaluate pe in a reverse reconciliation protocol. The corresponding estimators can be de 
noted as axA for AHce and ppE for Eve, where a and p can be taken as real numbers. The 
errors for these estimators will be xb|a, a = xb - axA, and pb|e,p = Pb - PPe- Since all operators 
for Alice, Bob and Eve commute, one has obviously [xB|A,a5PB|E,p] = [xb,Pb] and thus we get 
the Heisenberg relation AxB|A,a^ ApB|E,p^ ^ No^. Since the conditional variances are by 
definition given by V(xb|xa) = mina{AxB|A.a^ } and V(pb|pe) = minp{ApB|E,p^ }, we obtain the 
expected relation V(xb|xa) V(pb|pe) ^ No^- Exchanging the roles of x and p, one gets also the 
symmetrical relation V(pb|pa) V(xb|xe) > No^. 

[0073] Alice has the estimators (xa,Pa) for the field (Xin,pin) that she sends out, so 
that one can write Xm = xa + Ax and pin = Pa + Ap with <Ax^> = <Ap^> = sNo , where s is 
related to the amount of squeezing that may be used by Alice to generate this field, and obeys 
s > V"^ By calculating the correlation coefficients <Pa^> = (V - s) No , <Pb^> = Gp (V + Xp) 
No, and < paPb > = VOp <Pa>, one obtains Alice's conditional variance on Bob's 
measurement, V(pb|pa) = <Pb^> - |<PaPb>P/<Pa^> = Gp(s+Xp)No. This equation and the 
constraint s > gives finally V(pb|Pa) ^ Gp (V^+Xp) No, and similarly V(xb|xa) ^ Gx(V' 
^+Xx)No by exchanging the roles of x and p. 

Detailed Description of Sliced Reconciliation 

[0074] We assume that Alice and Bob share correlated Gaussian key elements 
from which they wish to extract I(A; B) common bits, where A (resp. B) denotes the random 
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variable representing one of Alice's (resp. Bob's) Gaussian key elements, described using 
their binary expansion. In order to deal with realistic streams of data despite the non-random 
phase modulation used in the current experiment, the key elements must actually be 
randomly permuted before processing. The reconciliation procedure^'^^ works in the 
following way. Alice chooses m functions Si(A),...,Sm(A) that map her key elements onto {0, 
1 }"^. If Alice and Bob exchanged a block of n key elements Ai,.,.,An5 Alice thus creates m bit 
strings of length n, called "slices", by applying each function Si to all her key elements: 
Si(Ai),..., Si(An). Then AUce and Bob reconciliate each slice sequentially for i=l...n. Since 
this comes down to reconciliating bit strings, we used an implementation^^ of the binary error 
correction algorithm Cascade^^ Bob, on his side, must also convert his key elements Bi,...,Bn 
into binary strings. To this end, he uses another set of functions Ri, called "slice estimators", 
which estimate the bits Si(A) given Bob's current knowledge. Since the slices are corrected 
sequentially for i=l,...,m, Bob aheady knows Si(A),...,Si.i(A) upon correcting slice i, so that 
the slice estimator Ri is a function of B and of the previous reconciliated slices, that is Ri(B; 
Si(A),...,Si.i(A)). It remains to detail how the functions Si are created. On the one hand, we 
wish to extract as many bits as possible out of A and B, but, on the other hand, any bit leaked 
during the binary reconciliation with Cascade does not coxmt as a secret bit since it is 
publicly known. The difference between these two quantities defines the net amount of 
(potentially secret) reconciliated bits per key element, which can be expressed as 
H(Si(A),...,Sm(A))-Sih(ei), where the first term is the entropy of the Alice's produced bits, and 
Q{ = Pr[Ri(B;Si(A),...,Si-i(A)) ^ Si(A)]. This uses the fact that, according to Shannon theory, 
at least n h(e) bits must be disclosed to correct a string of length n with bit error probability e, 
where h(x) = - x log2 x - (1-x) log2(l-x). Note that in practice Cascade leaks a little bit more 
than Shannon's formula. In the case of the current set-up, it appeared useless to reconciUate 
the bits beyond some precision level, so we chose to use m = 5 slices as a trade-off between a 
satisfactory number of reconciliated bits and reasonable computing resources. We discretized 
the field amplitudes into 2^ = 32 intervals, numbered from 0 to 31. What was found to work 
best is to assign the least significant bit of the interval number to Si (A), the second least 
significant bit to S2(A), and so on, up to the most significant bit to S5(A). In other words, the 
reconciUation is carried out from a fine-grained level to a coarse-gained level. We then 
numerically optimized the interval boundaries so as to maximise the net amount of 
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reconciliated bits. It should be stressed that the binary error correction algorithm used in this 
implementation, Cascade^^ is a two-way interactive protocol, so that the information leaking 
to Eve should be estimated carefully. For example, in RR, Eve may gain some knowledge on 
Alice's value that might give her some additional information on the key (Bob's value). The 
same problem occurs in DR, but to a smaller extent. This additional information, which 
reduces the number of secret bits, must be evaluated numeric ally^l 

Detailed Description of Privacy AmpUfication 

[0075] Privacy ampUfication amounts to process the reconciUated key into a 
random transformation taken in a universal class of hash functions * . In this case, we chose 
the class of truncated linear functions in a finite field. This means we considered the 
reconciUated bits as coefficients of a binary polynomial in a representation of the Galois field 
GF(2^^^^^^) whose size allows to process up to 1 10503 bits at once, and hashing was achieved 
by first multiplying the reconciUated polynomial with a random element of the field and then 
extracting the desired number of least significant bits . This operation can be implemented 
efficiently (see e.g.^^). In practice, the explicit knowledge of a prime polynomial over GF(2) 
is needed to perform the modular reduction, so we used the polynomial^^ x^^^^^^+x^^^+L 
Finally, the number of extracted bit is n H(Si(A),..., Sni(A))-I(A;E)-r-A(n), where we reduced 
the final key size by some extra amount A(n), which depends on the actual number of key 
elements and the desired security margin. The evaluation of A(n), which is basically a finite 
size effect, wiU not be described here. 

Evaluation of the Proposed OKD Schemes 

[0076] Table 1 shows the ideal and practical secret key rates of the direct- 
reconciUation and reverse-reconciUation QKD protocols for several values of the line 
transmission G. The RR scheme is in principle efficient for any value of G, provided that the 
reconciliation protocol achieves the limit given by Iba. However, in practice, unavoidable 
deviations of the algorithm from Shannon's limit reduce the actual reconciled information 
shared by Alice and Bob, while Ibe is of coxirse assumed unaffected. For high modulation 
(V»40), the reconciliation efficiency lies around 80%, which makes it possible to distribute a 
secret key at a rate of several hundreds of kbits per second for low losses. However, the 
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achievable reconciliation efficiency drops when the signal-to-noise ratio (SNR) decreases, so 
that no secret bits can be extracted when the channel gain G is too low. This can be improved 
by reducing the modulation variance, which increases the ratio Iba/Ibe so the constraint on 
the reconciUation efficiency is less severe. Although the ideal secret key rate is then lower, 
we could process the data with a reconciliation efficiency of 78% for G = 0.49 (3.1 dB) and 
V=27, resulting in a net key rate of 75 kbits/s. This clearly demonstrates that RR continuous- 
variable protocols operate efficiently at and beyond the 3dB loss limit of DR protocols. We 
emphasize that, although we were not able to extract a key well above 3 dB in this "proof-of- 
principle" experiment, an increase of the reconciUation efficiency would immediately 
translate into a larger achievable range. 

[0077] The QCV protocol can be compared with single-photon protocols on two 
aspects: the raw repetition fi-equency and the secret key rate in bits per time slot. In photon- 
counting QKD, the key rate is intrinsically limited by the maximum repetition frequency of 
the single-photon detector, typically of the order of 100 kHz, due to the lifetime of trapped 
charges in the semiconductor. In contrast, homodyne detection may run at frequencies of up 
to tens of MHz. In addition, a specific advantage of the high dimensionality of the QCV 
phase space is that the field quadratures can be modulated with a large dynamics, allowing 
the encoding of several key bits per pulse. Very high secret bit rates are therefore attainable 
with the coherent-state protocol when using transmission lines of low losses (up to about 
3 dB in the present implementation). For high-loss transmission lines, the protocol is 
presently limited by the reconciUation efficiency, but its intrinsic performances remain very 
high. Let us consider an ideal situation where the reconciliation algorithm attains Shaimon's 
boimd and the excess noise is negUgible. Then, the net key rate of the protocol is slightly 
above that of BB84, which yields G nph/2 secret bits per time slot for a noiseless line, where 
Uph is the number of photons sent per time slot. Taking for instance a 67.1 km line (typical 
current distance for state-of-the-art single-photon QKD^^) with 14.3 dB loss and a reasonable 
modulation V = 10, the protocol would ideally yield a secret key rate of 0.025 bits per time 
slot. Thus, assuming perfect reconciliation and a pulse repetition rate of a few MHz, the QCV 
protocol could achieve a secret key rate as high as 100 kbits/sec. Note, however, that Iba = 
0,208 bits per time slot in this case, so that a reconciUation efficiency of about 90 % would 
actuaUy be needed in a regime of very low (around -5 dB) signal-to-noise ratio. The currently 
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available reconciliation protocols do not reach this regime. For comparison, the secret key 
rate of BB84 with an ideal single-photon source and perfect detectors would be at best 0.019 
bits per time slot with the same line, and even one order of magnitude smaller using 
attenuated light pulses with nph = 0. 1 . 

[0078] Although the present "proof-of-principle" setup is far froni reaching these 
numbers, there is still a considerable margin for improvement, both in the hardware and the 
software. For example, working at telecom wavelengths where fast modulators are available 
would overcome some of the technical limitations of the present set-up. Concerning the 
receiver's system, increasing the detection bandwidth or the homodyne efficiency, and 
decreasing the electronic noise would significantly enhance the achievable range. Also, 
significant improvement may result fi-om further research on reconciliation algorithms'^ ^ This 
suggests that the way is open for testing the present proposal as a practical, high bit-rate, 
quantum key distribution scheme over moderate distances. 
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TABLE 1 



V 


G 

(%) 


Losses 
(dB) 


Ideal 
RR rate 
(kb/s) 


Practical 
RR rate 
(kbs/s) 


Ideal 
DR rate 
(kb/s) 


Practical 
DR rate 
(kb/s) 


41.7 


100 


0.0 


1,920 


1,690 


1, 910 


1,660 


38.6 


79 


1.0 


730 


470 


540 


270 


32 .3 


68 


1.7 


510 


185 


190 




27.0 


49 


3.1 


370 


75 


0 




43.7 


26 


5.9 


85 




0 





[0079] Table 1 summarizes the parameters of the quantum key exchange for 
several values of the line transmission G (the corresponding losses are given in dB). The 
variations of Alice's field variance V are due to different experimental adjustments. The ideal 
secret key bit rates would be obtained from the measured data with perfect key distillation, 
yielding exactly Iba-Ibe bits (RR) or Iab-Iae (DR). The practical secret key bit rates are the 
one achieved with the current key distillation procedure ("-" means that no secret key is 
generated). Both bit rates are calculated over bursts of about 60,000 pulses at 800 kHz, not 
taking into account the duty cycle («5 %) in the present setup. 
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Quantum Distribution of Gaussian Keys with Squeezed States 
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A continuous key distribution scheme b proposed that relies on a pair of canonically conjugate 
quantum variables. It allows two remote parties to sheu^ a secret Gatissian key by encoding it 
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Quantum cryptography — or, more precisely, quantum 
key distribution — is a technique that allows two remote 
parties to share a secret chain of random bits (a secret 
key) that can be used for exchanging encrypted infor- 
mation [1-3]. The security of this process fundamen- 
tally relies on the Heisenberg uncertainty principle, or 
on the fact that any measurement of incompatible vari- 
ables inevitably affects the state of a quantum system. 
Any leak of information to an eavesdropper necessarily 
induces a disturbance of the system, which is, in princi- 
ple, detectable by the authorized receiver. 

In most quantum cryptosystems proposed so far, a sin- 
gle photon (or, in practice, a weak coherent state with an 
average photon number lower than one) is used to carry 
each bit of the key. Mathematically, the security is based 
on the use of a pair of non-commuting observables such 
as the X- and 2r-projections of a spin- 1/2 particle, and 
(7^, whose eigenstates are used to encode the key. The 
sender (Alice) randomly chooses to encode the key using 
either (Tz (0 is encoded as | t) and 1 as | |)) or <Ta; (0 is en- 
coded as 2-^/2(1 t)-f.j D) and 1 as 2-^/2(1 1>- I l»), the 
choice of the basis being disclosed only after the receiver 
(Bob) has measured the photon. This guarantees that an 
eavesdropper (Eve) cannot read the key without corrupt- 
ing the transmission. Such a procedure, known as BB84 
[1], is at the heart of most of the quantum cryptographic 
schemes that have been experimentally demonstrated in 
the past few years, which are based either on the polar- 
ization (e. g. [4,5]) or the optical phase (e. g. [6]) of single 
photons. An alternative scheme, realized experimentally 
only a year ago [7-9], can also be used based on a pair of 
polarization-entangled photons instead of g'ingie photons 
[10]. It is, however, fundamentally equivalent to BB84 
(see [11]) and it again relies on the algebra of spin- 1/2 
particles. 

Recently, it has been shown that another protocol for 
quantum key distribution can be devised based on con- 
tinuous variables, where squeezed coherent light modes 
are used to carry the key [12-14]. In these techniques, 
one exploits a pair of (continuous) canonical variables 
such as the two quadratures X\ and X2 of the ampli- 
tude of a mode of the electromagnetic field, which be- 



have just as position and momentum. The uncertainty 
relation AXi AX2 > 1/4 then implies than Eve can- 
not read both quadrature components without degrading 
the state. Even though the experimental preparation of 
squeezed states is a difficult task, these schemes circum- 
vent a main weakness of the above-mentioned cryptosys- 
tems that is the critical dependence of their security oh 
the ability of preparing single-photon states. 

In this paper, we propose an alternative squeezed-state 
quantum cryptographic scheme, which provides a means 
to distribute a continuous secret key. The goal of our 
protocol is to have Alice and Bob sharing a continuous 
key that consists of a random list of Gaussian-distributed 
variables that cannot be known to Eve. Thus, in this sce- 
nario, both the key and the quantum variable that carries 
it are continuous. This is in contrast with the schemes 
proposed in Ref. [12-14], which appear hybrid as a con- 
tinuous quantum variable was used to carry a discrete 
key element (the shared key was made of bits, or, in 
general, discrete variables). Inste£Ld, our approach can 
be viewed as an all-continuous quantum cryptographic 
scheme, which is the proper continuous extension of the 
BB84 scheme. First, from a theoretical perspective, this 
provides a more satisfying continuous treatment of quan- 
tum key distribution. Remarkably, the tradeoff between 
Eve's information gain and the disturbance at Bob's sta- 
tion can be expressed in an unexpectedly simple way (if 
we restrict ourselves to an individual attack based on the 
optimal continuous cloning machine): the information 
gained by Eve on one quadrature is at most equal to the 
information lost by Bob on the other quadrature. This re- 
sults in a simple information-theoretic measure of the dis- 
turbance, namely the defect of information at Bob's sta- 
tion. Moreover, this all-continuous scheme avoids a po- 
tential attack against the scheme proposed in Ref. [12-14] 
by filling in the gaps between the values used to encode 
the discrete key values (this will be explained later on). 

Let us now detail our protocol. The uncertainty re- 
lation implies that it is impossible to measure with full 
accuracy both quadratures of a single mode, Xi and 
Alice exploits this property by encoding the key elements 
(random Gaussian samples) as a quadrature squeezed 
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state either in Xi or in , in such a way that an eaves- 
dropper ignoring which of these two "bases'* is used can- 
not acquire information without disturbing the state. In 
basis 1, Alice prepares a squeezed vacuum state such that 
the fluctuations of Xi are squeezed {AX^ — al < 1/4), 
and then applies a displacement of Xx by an amount 
equal to the value of the Gaussian key {{Xi) = a;, where 
X is the encoded key element). The quantity <tI refers 
here to the intrinsic variance of Xi in the squeezed state; 
the corresponding squeeze parameter is ri = -b(2(7i). 
We denote by the variance of this Gaussian key, so 
the mean vadue {Xij is itself distributed as a Gaussian 
of mean 0 and vajiance . Conversely, in bcisis 2, Alice 
sends a squeezed state in Xq (AXf = 0-2 < 1/4), whose 
displacement encodes the Gaussian key ({X2) = x). 
Agadn, (X2) has a Gaussian profile with mean 0 and 
variance Ef, while the squeeze parameter in mode 2 is 
r2 = — ln(2o-2). Thus, in both basis, Alice encodes the 
key into a displaced vacuum squeezed state, the squeezing 
(by r) and displacement (by x) being applied at random 
on Xi or X2 . 

Now, for the cryptographic setup to be secure, we re- 
quire the statistical distribution of the Xi measurement 
outcomes to be indistinguishable whether basis 1 or 2 
is used by Alice. If this condition is fulfilled, Eve can- 
not obtain any indication on whether she is measuring 
a type 1 or type 2 squeezed state, whatever the statis- 
tics she accumulates. If basis 1 is used, the outcomes 
of ^1 measurements (that can be obtained in practice 
by homodyne detection) are distributed as a Gaussian of 
variance -f cl since each squeezed state gives an extra 
contribution of o-f to the variance. If, on the contrary, 
a type 2 squeezed state is measured, then the outcomes 
of Xi measurements exhibit a Gaussian distribution of 
variance l/( 16(72) as a result of the uncertainty princi- 
ple. Thus, we impose the condition 

E? + ,7? = 1/(16(7^) (1) 

Similarly, the requirement that type 1 and 2 squeezed 
states are indistinguishable when performing X2 mea- 
surements implies that E^ + = l/(16cri). These two 
relations can be summarized as 

l+El/al=l + i:l/<Tl = l/a' (2) 

where a ~ Aa\(72 = e^^^^*^*"^) is a (positive) dimension- 
less constant which must satisfy a < 1 (or <7\cr2 < 1/4) 
for Eq. (2) to be consistent. More generally, these two 
conditions guarantee that the density matrices of the en- 
coded key elements are the same in bases 1 and 2, making 
them indistinguishable. Thus, choosing the squeeze pa- 
rameters ri and T2 is sufficient to completely characterize 
the protocol. 

Let us now analyze the transmission of the Gaussian 
key elements in the case where there is no eavesdropper 
and the transmission is perfect. We first need to recall 
some standard notions of Shannon theory concerning the 
treatment of continuous transmission channels. Consider 



a discrete-time continuous channel which adds a Gaus- 
sian noise of variance cr^ on each signal. If the input x of 
the channel is a Gaussian signal of variance E^ , the uncer- 
tainty on X can be measured by the differential Shannon 
entropy h{x) = 2"^log2(27reE^) bits [15]. Conditionally 
on aj, the output y is distributed as a Gaussian of variance 
(T^ , so that the entropy of y conditionally on x becomes 
h[y\x) = 2'"Mog2(27re(T^) bits. Now, the distribution 
of y is given by the convolution of these two Gaussians, 
i. e., a Gaussian of variance -\- <t^ . Hence, the output 
entropy is h(y) = 2"^log2(27re{E^ -f o^)) bits. Accord- 
ing to Shannon theory, the information that is processed 
through this noisy channel can be expressed as the mu- 
tual information between x and y (the amount by which 
the uncertainty on y is reduced by knowing x): 

/(bits) = %)-%|x) = ilog2(l + 7) (3) 

where 7 = jcP' can be viewed as the signal-to-noise 
ratio (SNR). This is Shannon's famous formula for the 
capacity of a Gaussian additive noise channel [16]. Here, 
the signal variance (or power) is simply E^, while the 
noise variance is , This capa<:ity measures the num- 
ber of bits that can be transmitted asymptotically (using 
block coding) per use of the channel, with an arbitrary 
high fidelity for a given SNR. It can be shown to be at- 
tainable if the signal is Gaussian distributed (which is 
the case under consideration here). 

Coming back to our cryptographic setup, consider the 
situation (with no eavesdropping) where Bob performs a 
measurement in the good basis after the latter is publicly 
announced by Alice. (It is equivalent to the more realis- 
tic procedure where Bob measures the key in a random 
basis, but then discards the bad outcomes after the ba- 
sis is disclosed by Alice.) The SNR in basis 1 is simply 
7i = Ei/(rJ, while it is 72 = E2/<T2-in basis 2. Using 
this notation, Eq. (2) becomes 1 + 71 = 1 + 72 = l/^^j 
so that we must have the same SNR in both basis, 
7 = e^(^*+^2^ - 1. This means that the processed in- 
formation is also the same in both bases, and can be 
expressed, using Eq. (3), as 

Jo (bits) = - logj (a) = (n + T2)l ln(2) (4) 

Thus, our continuous quantum cryptographic technique 
can be essentially characterized by a single dimension- 
less constant a (the product of the X\ noise of type-1 
squeezed states times the X2 noise of type-2 squeezed 
states). It works provided that a < 1, as a finite amount 
of information is then processed from Alice to Bob. Note 
that Jo (expressed in natural units — nats — rather than 
in bits) is simply equal to the sum of the squeeze param- 
eters in bases 1 and 2, which reflects that the processed 
information is zero in the absence of squeezing, and grows 
linearly with squeezing in bases 1 and 2. For example, if 
(T\ — a\ — 1/8, i. e., if we have a squeeze factor — \/5 
in each basis, then a = 1/2, so we can process one bit on 
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average per use of the channel. This corresponds to 7 = 3 
in both bases. More generally, we see that the processed 
information in the absence of eavesdropping increases as 
a gets smaller. In some sense, the more we violate a 
pseudo-uncertainty relation (Ti<r2 > 1/4, the larger this 
information gets. Remember that <ri and (J2 are standard 
deviations of X\ and X2 measurements on type 1 and 2 
states, respectively. If they referred to Xi and X2 mea- 
surements on a same state, then the above uncertainty 
relation would apply, and Eq. (2) could not be satisfied 
(except for the useless case a = 1). 

The average photon number contained in each encoded 
key state clearly increases with the widening of the dis- 
placement (E^) needed to represent Alice key values for 
a given SNR. It also increases as squeezing increases, but 
then the displacement distribution can be narrowed to 
achieve a same SNR. Let us determine the relative con- 
tribution of these two effects focusing on one basis, and 
assuming for simplicity that (Ti = 0^2 = so that the 
same squeezing is applied on both quadratures. In this 
case, Eq. (2) implies that <t^ = ^e'^*-^ = isinh(2r), 
and 1 + 7 = e*'" . For a given encoded key state (with 
a squeeze parameter r and displacement x, where x is 
the key value Alice wishes to transmit), the mean pho- 
ton number can be written as = -|- sinh^ r, where 
the first term reflects the displacement effect while the 
second characterizes vacuum squeezing [17], For a given 
SNR 7 (or a given squeezing parameter r) , we obtain the 
average number of photons over all possible values x sent 
by Alice (distributed as a Gaussian of mean 0 and vari- 
ance E^), {N) = S^-f sinh^ r. Using the relation between 
7 and r, this gives for the average number of photons per 
key pulse: 

I^^e^^(l4-7)-^^-l 
2a 2 2 ^ ^ 

Equivalently, the processed information can be expressed 
as a function of the average photon number, 

/o(bits) = log2(2<i\r) + l) (6) 

implying that the photon number must increase expo- 
nentially with the processed information. 

We shall now investigate the tradeoff between the in- 
formation acquired by Bob and Eve in this continuous 
cryptographic protocol. First, we should emphasize that, 
even in the absence of eavesdropping, the key elements 
received by Bob are not exactly equal to those sent by 
Alice, This is in contrast with BB84, and is simply due 
to the fact that the noise due to the intrinsic fluctuations 
of the squeezed states . always adds to the signal, giving 
rise to a finite SNR. This already holds at Alice's station, 
regardless the (possibly tapped) channel. So, an eaves- 
dropper will be visible in this scheme by an enhanced 
noise variance (or a reduced SNR) at Bob's station. A 
protocol that Alice can follow to detect any eavesdrop- 
ping can be to disclose, on a public channel, the exact 
values X of a random subset of key elements. Then, Bob 



compares them to the received values y and computes 
the distribution of the differences y - x. For a perfect 
and untapped chemnel, it should be a Gaussian of vari- 
ance (T^, so the SNR is unchanged. Otherwise, the SNR 
decreases by an amount that can be viewed as a measure 
of the disturbance of the Alice-to-Bob channel. Assume, 
for example, that Eve uses an individual "intercept-and- 
resend" attack, measuring each key element in basis 1 or 
2, at random, and resending a squeezed state centered on 
the value of the measured quadrature. The variance at 
Bob's station is 2(7^ (twice the intrinsic variance!) if Eve 
used the good basis, or 1/(16(7^) in the opposite case, 
so the resulting noise variance is o-^[l H- l/(2a^)]. Thus 
Bob's computed SNR is reduced by a fsictor 2/(3-1-7). 

Let us now make the assumption that the optimal in- 
dividual eavesdropping strategy for Eve consists in using 
the optimal (Gaussian) cloning machine for continuous 
quantum variables [18,19], This is a very sensible conjec- 
ture as the phase-covariant qubit doner is known to be 
the best individual eavesdropping strategy for BB84 [20] 
(actually, the universal qubit doner is optimal for the re- 
lated six-state quantum cryptographic protocol [21,22]). 
We consider an attack where Eve makes two imperfect 
copies of the key element, and sends one of them to Bob 
while she keeps the other one. Bob and Eve both wait 
until Alice reveals the basis she used for encoding the 
key before measuring the received state in the appropri- 
ate basis (again, this is equivalent to Bob measuring in a 
random basis and then discarding the bad measurements 
after the basis disclosure). To analyze the information- 
theoretic balance between Bob and Eve, we use a general 
class of asymmetric Gaussian doners defined in Ref. [18] 
that result in a different amount of noise on both quadra- 
tures and for Bob and Eve. It is proven in Ref. [18] that 
the inequality 

4b4e>1/16 (7) 

must hold (and is saturated for this class of doners), 
where trf q and ^ ^^e the variances of the errors that 
aifect Bob's Xi measxirements and Eve's X2 measure- 
ments, respectively. For example, if basis 1 is used, 
then the outcomes of Xi measurements on Bob's side 
will be distributed a^ a Gaussian of variance + cr^ ^ 
since cloning-induced errors are superimposed on the in- 
trinsic fluctuations of the squeezed states. Similarly, 
a second no-cloning uncertainty relation holds, con- 
necting Bob's errors on X2 and Eve's errors on Xi: 
^2B^iE ^ 1/16. Let us now characterize the don- 
ers that saturate these inequalities by two parameters 
X arid 7: we rewrite the error variances on Bob's side 
^ ^Ib = Xl{(^llot) and (tI q = X7"H^2/<^)» while the 
errors on Eve's side are written as cr^ ^ = x~^l{<^\l^) 
and £; = X~^l~^{<^\l^)- Thus, x characterizes , the 
balance between Bob's and Eve's, errors as <T\^bIo'i,E = 
c^2,b/c^2,£ = X' Tiie limit X — >- 0 corresponds to the case 
where Bob has a negligible cloning-induced additional 
error on his measured quadratures, so he gets the entire 
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information Iq (Eve does not get any information). The 
case X = 1 represents a symmetric situation where the er- 
rors induced by cloning are the same for Bob and Eve. Of 
course, the limit x -->• oo is the opposite situation where 
Eve gets most of the information with no error. Simi- 
larly, 7 describes the quadrature 1 vs 2 balance, that is, 

Now, we need to express the information processed 
from Alice to Bob (or from Alice to Eve) in basis 1 (or ba- 
sis 2). In basis 1, the variance of Bob's measurement out- 
comes is crJ + o-J^jg = (l+x7/ct)<^ii while the distribution 
of the key elements has a variance Ef , Using Shannon's 
formula, Eq, (3), and the identity 1 + T\/al = l/a^, we 
obtain the information processed from Alice to Bob in 
basis I: 

h,B = \\oJ^^^) (8) 

Similarly, using the variance of Eve's outcomes in basis 2, 
^2 + ^2,E = [1 + l/(X7Qj)]<7"2) sin analogous calculation 
yields for Eve's information in basis 2 

Finally, the balance between Bob's and Eve's information 
can be expressed by calculating the sum of equations (8) 
and (9): 

+ h^B = \ log2{l/a') = /o (10) 

Remarkably, it appears that the information acquired by 
Eve on the second quadrature, /2,b, is exactly counter- 
baJanced by the defect of information at Bob's side on 
the first quadrature, Jo - h^B- Of course, the counter- 
part of Eq. (10) also holds when interchanging the bases, 
that is, 72,5 -\-h,E = lo- 

Thus, assuming that the use of the continuous doner 
is the best possible individual attack against our continu- 
ous cryptographic protocol, Bob's information loss can be 
viewed as a proper disturbance measure as it simply is an 
upper bound on the information that might potentially 
have been gained by an eavesdropper. Consequently, the 
net amount of key bits that can be generated by this 
method is bounded by /b - = /q - 2Ie' This follows 
from [23] where it is proven that the secret key rate of 
A and B with respect to E is lower bounded by the dif- 
ference of mutual information I(A]B) — I(A\E). Even 
though A, B and E here denote continuous variables, 
we can use this result provided that the generated key 
and the exchanged reconciliation messages are discrete 
as required in [23] . Our continuous variables A^ B and E 
only appear at the right of the conditional bar in entropy 
formulas, so they can be approximated by discrete num- 
bers (that is, they can be replaced by an integer such as 
[nAj, approximating the real variable A), As n grows, 
it will soon be close to the real variable with a precision 



far beyond what is. needed given the noise level. Thus, 
we conclude that our protocol can only work provided 
that Ie < hl2^ that is, iff x < 1. Stated otherwise, the 
quality of the signals measured by Alice and Bob must 
be bounded by > /o/2, or in terms of signal-to-noise 
ratios 7' > vTT^ - 1, where 7' is the SNR measured by 
Bob. This means that a 1-bit channel (7 = 3) may still be 
used if the noise power is almost tripled (7' > 1) . In sum- 
mary, the procedure we propose here consists in the quan- 
tum distribution of a (real) Gaussian key, followed by a 
discretization procedure so as to apply some (discrete) 
reconciliation and privacy amplification protocol. Such 
a strategy avoids a weakness of the squeezed-state cryp- 
tosystems as presented in Refs. [12-14]. There, the key 
is binary (or belong to a larger finite alphabet) , so there 
are always gaps between the discrete key values. This al- 
lows Eve to gain knowledge about the occurrences where 
she measured the wrong quadrature (without getting the 
key value). This knowledge alone is sufficient for her to 
attack this key distribution scheme simply by omitting to 
resend the corresponding key elements to Bob, thereby 
faking a small attenuation in the transmission. This lim- 
itation does not apply to our scheme since the continuous 
key values fill in an entire region in the {X\ , X2) phase 
space. 

In conclusion, an all-continuous quantum crypto- 
graphic protocol was proposed that is based on single- 
mode squeezed states of the electromagnetic field. It ex- 
ploits the uncertainty relation between the conjugate pair 
of quadrature components Xi and X2 by encoding a con- 
tinuous Gaussian-distributed key into either X^- or X2- 
squeezed states, thereby allowing a continuous key distri- 
bution between two remote parties. It is shown that the 
information acquired by an eavesdropper on the key ele- 
ments encoded in Xi is compensated by a reduction (by 
a same amount) of the key information available on the 
X2 amplitude at the receiver's station. This information- 
theoretic tradeoff characterizes the worst-case individual 
attack based on the cloning machine, so we conclude that 
the loss of information at the receiver's end is a good up- 
per bound on the tapped information. A realization of 
this continuous protocol based on squeezed states would 
be very challenging, as the generation of squeezed light 
has been a difficult experimental target for years. Also, 
it would require synchronized local oscillators at Alice's 
and Bob's stations, in order for them to have a common 
phase for homodyne detecting the ampUtudes Xi and X2. 
In addition, probably the main limitation in the imple- 
mentation of this protocol is related to the loss of squeez- 
ing effected by attenuation in the transmission medium. 
This would dramatically decrease the SNR,. and make 
the protocol less efficient (or insecure). In analogy with 
what is known for BB84, there probably is a threshold 
on the squeeze parameter that Alice should reach, below 
which the protocol would fail. Nevertheless, it should 
be stressed that the cryptographic protocol proposed 
here was analyzed using the conjugate pair Xi and Xi, 
but other complementary variables might be exploited as 
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well. In particular, one could possibly imagine a contin- 
uous cryptographic scheme based on the time-frequency 
complementarity, where ultra-short single-photon pulses, 
or, alternatively, single-photon pulses that are highly re- 
solved in frequency would be used in order to encode the 
Gaussian key. Such a scheme might possibly avoid some 
of the weaknesses of the squeezed state protocol, and be 
more appropriate for an experimental realization. 

We are grateful to Jonathan Dowling, Nicolas Gisin, 
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Abstract. The cloning of quantum variables with continuous spectra is investigated. We define a Gaussian 
l'-to-2 cloning machine, which copies equally well two conjugate variables such as position and momentum 
or the two quadrature components of a hght mode. The resulting cloning fidelity for coherent states, namely 
F = 2/3, is shown to be optimal. An asymmetric version of this Gaussian doner is then used to assess 
the security of a continuous- variable quantum key distribution scheme that allows two remote parties to 
share a Gaussian key. The information versus distiu-bance tradeoff underlying this continuous quantiim 
cryptographic scheme is then analyzed for the optimal individual attack. Methods to convert the resulting 
Gaussian keys into secret key bits are also studied. The extension of the Gaussian doner to optimal iV-to- 
M continuous doners is then discxissed, and it is shown how to implement these doners for light modes, 
using a phase- insensitive optical amplifier and beam splitters. Finally, a phase-conjugated inputs {N^N')- 
to-(M, M') continuous doner is defined, yielding M clones and M' anticlones from A'^ replicas of a coherent 
state and N' replicas of its phase-conjugate (with M' M = N' - N). This novel kind of doners is shown 
to outperform the standard N-to-M doners in some situations. 
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0 1 introduction 

^JJuantum information theory was originally developed for 
H discrete quantum variables, in particular quantum bits 
(qubits). Recently, however, it has been discovered that 
JTj several concepts that were invented for qubits extend very 
naturally to the domain of continuous variables (e.g., posi- 
^ tion and momentum of a particle, or the quadrature com- 
ponents of a mode of the electromagnetic field) . The first 
result in this direction concerned quantum teleportation 
[23,7], and gave rise to a lot of interest in continuous- 
variable quantum information processing. In the present 
paper, we focus on the notions of quantum cloning and 
quantum key distribution, and investigate how they can 
be extended to continuous variables. 

Cloning machines (that achieve the optimal approxi- 
mate cloning transformation compatible with the so-called 
no-cloning theorem) have been a fundamental research 
topic in the last five years. In Section 2, we will define 
a Gaussian doner, which achieves the optimal cloning of 
a continuous variable compatible with the requirement of 
being covariant with respect to displacements and rota- 
tions in phase space. In other words, this doner dupli- 
cates all coherent states with a same fidelity {F = 2/3), 
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The optical implementation of this doner and its exten- 
sion to N~to-M doners are also discussed. In Section 3, 
we then turn to quantum key distribution, and propose a 
continuous- variable cryptosystem that allows two remote 
parties to share a Gaussian key by exchanging continuous 
key elements carried by squeezed states. This scheme is 
the proper continuous counterpart of the protocol BB84 
[2] for qubits. Our continuous cryptosystem is related to 
the Gaussian doner for an asymmetric version of the lat- 
ter achieves the optimal individual eavesdropping strat- 
egy. Thus, our previous results on continuous cloning can 
be used to analyze the information versus disturbance 
tradeoff, in order to assess the security of this continu- 
ous cryptosystem. We find that the information gained by 
the eavesdropper is exactly upper bounded by the infor- 
mation lost by the authorized receiver. We also investigate 
a protocol to convert the raw Gaussian keys into a string 
of secret key bits, that is, We show how to apply .recon- 
ciliation and privacy amplification on continuous key el- 
ements. Finally, in Section 4, we come back to the issue 
of cloning continuous variables, and define a new class of 
"phase-conjugated inputs" doners. These doners produce 
several clones (and anticlones) from several replicas of an 
input coherent state and its phase conjugate. We show 
that adding these extra phase-conjugated inputs makes it 
possible to improve the cloning (and anticloning) fidelity 
with respect to the standard N-io-M doners. 
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2 Quantum Cloning Machines 

Let us first seek for a transformation which duplicates 
with a same fidelity all coherent states IV'), with = 
{x-\-ip)/y/2. The fundamental requirement we put on this 
transformation is that it is covariant with respect to dis- 
placements in phase space. That is, if two input states are 
identical up to a displacement D(x,p) = e~'^^e*^^, then 
their respective copies should be identical up to the same 
displacement. (In this paper, we put ^ = 1). Thus, cloning 
can be defined as a completely positive trace-preserving 
linear map C : C{\^)W) such that 



= D{x,p)C(mi;\)DHx,pl 



(1) 



for all displacements D(xyp) in the phase space. A sim- 
ple way to meet displacement co variance is to seek for 
a cloning transformation whose output clone individual 
states are given each by a Gaussian mixture: 



xD(x,p)\i;)W&{x,p), 



(2) 



where cr^ is the cloning-induced error variance. In the fol- 
lowing we will refer to such a transformation as a Gaussian 
doner. Note that Eq. (2) is such that the cloning induced 
noise on the quadratures x or p is invariant under rota- 
tions in the phase space, which is certainly a desirable 
property since it is satisfied by coherent states. Consider 
the following unitary operator: 



(3) 



where modes 1, 2 and 3 refer respectively to the origi- 
nal, the additional copy, and an auxihary mode (also ref- 
ered to as an ancilla) . This operator can be used to build 
a Gaussian doner if the additional copy and the ancilla 
are initially prepared in the vacuum state[12]. Indeed, it 
is readily checked that this transformation outputs two 
clones whose individual states are Gaussian-distributed, 
as in Eq.(2), with a variance cr^ = 1/2. In particular, 
it copies all coherent states |0} with the same fidelity 
/i,2 = (^b(V')[^)-2/3. 

This machine is optimal in the sense that it is im- 
possible to have a^(l, 2) < 1/2. To prove this, let us con- 
sider the following situation. A coherent state is processed 
through such a doner, the observable £ being measured at 
one output clone while the observable p is measured at the 
. other output. Let us denote by i7j and the respective 
error variances corresponding to this joint measurement. 
From the general theory on the simultaneous measurement 
of conjugate observables [1], we know that 



&p > 1. 

Using Eq. (2), we get 

(Sx'-^<T'){6p'^cr')>l, 



(4) 



(5) 




Fig. 1. Implementation of a 1 -> 2 doner using a phase- 
insensitive linear amplifier and a 50 : 50 beam-splitter (BS). 



where Sx^{Sp^) is the intrinsic variance of x (p) of the 
input state and is the cloning-induced variance. Now, 
using the uncertainty principle 6P6p^ > 1/4 and the in- 



equality + 6^ > 



we conclude that > 1/2, 



implying that the unitary operator Eq. (3) is indeed opti- 
mal to achieve Gaussian cloning[10]. 

A possible implementation of this machine (see Fig. 1) 
consists in processing the input mode into a linear phase- 
insensitive amplifier [8] of gain G = 2: 



03, 



(6) 

with Oj '= {xj + ipj)l\/2 denoting the annihilation opera- 
tor for mode j). Then, one produces the two output clones 
by processing the output signal of the amplifier through a 
50 : 50 phase-free beam-splitter: 



«'2 = ;^(ai-a2), (7) 



It is readily checked that this scheme leads to an equal 
x-error and p-error variance of 1/2 for both clones, that 
is, it achieves the optimal Gaussian doner. 

We will now present two generalizations of this 1—^2 
Gaussian quantum cloning machine. The first one consists 
in a transformation which from N [> 1) original input 
states produces M (> 2) output copies whose individual 
states are again given by an expression similar to Eq,(2), 
but with a different error variance <t^n,m • Using an argu- 
ment based on the concatenation of doners, it is possible 
to derive a lower bound on (t'^m.m, that is[10] 



1 



1 



with the corresponding fidelity for coherent states 



MN 



(8) 



(9) 



Again, these bounds can be attained by a transformation 
whose implementation necessitates only a phase-insensitive 
linear amplifier and beam splitters [6]. Loosely speaking, 
the procedure consists in concentrating the input modes 
into a single mode by a network of beam splitters, to am- 
plify the resulting mode, and then to distribute the output 
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amplified mode into M output modes through a secoad 
netwoxk of beam-splitters. 

The second generalization of the 1 — >■ 2 Gaussian quein- 
tum cloning machine we will briefly consider here is the 
case where the x and p quadratures are not treated equally, 
and the case where the two output clones do not have the 
same fidelity. Equation (2) then has to be replaced by 



i I 



dx dp e 



^^yffXp' (10) 

xD{x,p)mi>\bHx,p), 



where cr?^ (resp. (7?^) stands for the cloning-induced error 
variance in the quadrature x (resp. p) for the tth clone. 
In this case, it is possible to prove [12] that the following 
cloning uncertainty relations must hold: 



<ylA.p > 1/4, 

> 1/4. 



2,x 



(11) 



Asymmetries between the output clones and between 
the x/p variables can be characterized by the following 
two parameters: 

^=£M^^_ ^dA = ^ = ^. (12) 

As suggested in [16], asymmetric machines (with x 7^ 
1) can be implemented by a scheme akin to Fig. 1 in the 
sense that only two beam splitters and a single linear am- 
plifier are needed. We will see in the following section how 
these asymmetric quantum cloning machines can be used 
to assess the security of a continuous- variable quantum 
key distribution protocol. 



that (x) = r, (p> = 0, Ax^ = <tI and thus Ap^ = l/4<rl 
Similarly, when the value r ^ N{0yllp) is encoded in p, 
the encoding state has {p) = r, (ar) = 0, Ap^ = <rj and 
thus Ax^ = l/4o|. 

On his side, Bob measures either a: or p at random. 
Like in BB84, half of the measurements give results that 
are uncorrelated to Alice's values, so half of the samples 
must be discarded when Alice discloses the encoding vari- 
able. Unlike BB84, however, measuring the correct vari- 
able does not yield the exact value of r, even with a 
perfect apparatus, because of the intrinsic noise of the 
Gaussian state. The value r follows a Gaussian distribu- 
tion N{0,Ex^p), to which some Gaussian noise is added 
Ar(0,<Ta;^p), thus resulting in a Gaussiaji distribution with 
variance El j^ + al^. We can therefore model the trans- 
mission of r as a Gaussian channel with a signal-to-noise 
ratio (SNR) equal to Ll/<xl or El/aj. 

An important requirement of the protocol is to make 
it impossible for Eve to be able to infer which encoding 
variable Alice used. For this, measuring the correct or in- 
correct variable [x or p) must yield statistically indistin- 
guishable results. If, in contrast, Eve was able to detect 
(even not perfectly) that she measured the wrong set, 
then she could fake an attenuation by discarding wrong 
key elements and retransmitting only the correctly mea^ 
sured ones. This indistinguishability requirement can be 
expressed as the equality of the density matrices resulting 
from the two encoding rules, or equivalently as [13] 



1 + ^ 



(13) 



A proof of this is given in Appendix A. This also means 
that the SNR is the same for both variables x and p, and. 
that the information rate is [15] 



1, 



l0g2(l + El/4) = - l0g2(2(7,(7p). (14) 



3 Quantum Key Distribution 

In this section, we introduce a quantum protocol for the 
distribution of Gaussian key elements, which is a continuous- 
variable analogue of the protocol BB84 [2] - we assume 
here that the reader is familiar with BB84, Our protocol, 
introduced in [13], works like BB84 but with binary in- 
formation being replaced by continuous information that 
behaves essentially like in a Gaussian channel. 

One exploits a pair of canonically conjugate continuous 
variables x and p, which can be thought of, for instance, as 
the two quadratures Xi and X2 of the amplitude of a mode 
of the electromagnetic field [21]. Alice randomly chooses a 
random key element r that follows a Gaussian distribution 
with mean zero and variance 27^ , and randomly decides to 
encode it into either x (i.e., (x) = r) or p (i.e., (p) = r). An 
eavesdropper ignoring which of these two encoding rules 
is used cannot acquire information without disturbing the 
state. 

Let us now describe the exact nature of the states used 
for encoding each key element. When encoding the value 
r ~ N{OjEa;) in x, Alice creates a Gaussian state such 



3.1 Eavesdropping by cloning 

Let us now discuss an individual eavesdropping of this 

protocol with cloning machines such as those defined in 
Section 2. Eve makes two clones of the state sent by Al- 
ice, one of which is transmitted to Bob, and the other is 
measured in the correct variable when Alice reveals the 
encoding rule. This happens to be the optimal individual 
eavesdropping strategy as shown in [13] and [20]. 

We use a. I 2 cloning machine, arid we keep the 
freedom to make a better clone for Bob or Eve (parameter 
x\ and to get more accuracy in x or p (parameter A). 
The subscripts 1 and 2 for the two copies are replaced 
respectively by B and E for the two recipients. The added 
variances on the clones will be: 



(15) 
(16) 
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Let us calculate the resulting information rates. When 
Bob measures x, the result is affected both by the intrinsic 
fluctuations of x and by the noise induced by the cloning 
operation, thus resulting in a total variance al^-^x^- This 
is the noise power in the Gaussian channel representing 
the communication between Alice and Bob through Eve's 
cloning machine. Therefore, the information rate is now 

Similarly, one can calculate the new variance on p mea- 
sured by Eve on her clone, namely + |x~^>^~^- This 
gives an information rate 

JB,p = ^log,(l + ^,_^g_,^., ). (18) 

Adding the last two information rates indicates the 
bsdance between Bob's and Eve's information. Remark- 
ably, the information that Eve gains by using this attack 
on p is exactly equal to the information that Bob loses on 
^ [13], 

/B,.+/^.p=:ilog2(l + ^) = L (19) 

Of course, this balance also works when swapping x and 
p, namely Jb,p + Ib,x = 

This result is interesting because it allows Bob to bound 
from above the information gained by a possible eaves- 
dropper. Assuming symmetry of the protocol in x and p, 
Bob can estimate I—Ib and is guaxanteed that Ie < I—Ib 
(in practice, a part of the information loss will be due to 
channel noise). From Ref. [19], it is kwown that with rec- 
onciliation and privacy amplification carried out over a 
public authenticated channel, one is guaranteed to gener- 
ate key bits whenever Ib > Ie - This last condition is in 
turn guaranteed provided that Ib > 1/2, so that up to a 
50% information loss on Bob's side is acceptable in order 
to generate key bits. 

3.2 From Gaussian key elements to secret bits 

Let us now investigate the classical part of the key distri- 
bution protocol since we have to deal with reconciliation 
and privacy amplification based on continuous raw key 
elements here, in contrast to BB84. Shannon's formula 
gives us an upper limit on the number of bits one ca;n 
send through a Gaussian channel with a given SNR. In 
our protocol, neither Alice nor Bob chooses the Gaussian 
random values. Yet, we want them to be able to extract 
a common string of bits out of their correlated Gaussian 
values, revealing as little information as possible on the 
public channel. 

Our secret key distillation procedure [24] works in the 
following way. First, Alice and Bob are going to extract 
common bits out of their Gaussian-distributed values, us- 
ing a binary correction algorithm such as Cascade or a 



variant [5,22,25,14]. They will use it several times, on 
several real- to-binary conversion functions. Then, the re- 
sulting bits will undergo the usual privacy amplification 
procedure [19,4,3], for instance using a universal class of 
hash functions. 

Let X denote the random variable representing Alice's 
Gaussiem values, and Bob's values. Alice uses a set of 
real-to-binary conversion functions Si{X) = 0,1, (l<f< 
m). These are called slices, in the sense that instead of per- 
forming reconciliation on the real- valued string xi,,^i, we 
operate on each string Si{xi^^^i) sequentially, like sHces of 
the main, real- valued string. On his side, Bob uses another 
set of functions Si , called slice estimators^ which reflects 
his best guess on the bit Si{X) given his current knowl- 
edge. The slice estimator Si is not only a function of X' 
but also of the previous slices, Si{X' , Si (X), . . . , 5t-i(X)). 
This results from the fsict that the slices are corrected 
sequentially for i = l,..,,m, and thus upon correcting 
slice i Bob already knows 5i(X), . . . S,_i(X). By care- 
fully choosing the functions Si and Si , both parties can 
extract a common string of bits out of the correlated 
Gaussian values, while only disclosing a little more than 
H{Si{X),. . , ,Sm{X)\X') bits on the public chaimel. A 
more detailed analysis is given in [24]. 

Let us take an example. Assume the channel has E^/a^ = 
15, which means that Alice and Bob can share up to 
/ = I log2(l + ir^/(T^) = 2 bits per raw key element. We 
assume m = 5 slices as a trade-off between the eflaciency 
of large m and the use of reasonable computing resources. 
The slice functions iS', (X), 1 < t <. 5 are constructed in 
the following way. First, the Gaussian distribution of X 
is divided into 2"* = 32 intervals. The interval labeling 
function T{X)^ which associates an interval number (from 
0 to 31) to each value of a:, is chosen so as to maximize 
I{T(X)] X'). Thus, Bob starts with an optimal knowledge 
o{T{X). Then, we create the slice functions by assigning 
bit values to each of these intervals. Stated otherwise, we 
create a bijection between Si„,^[X) and T[X) so that each 
vector of the 5 slice bits represents one (and only one) in- 
terval defined by T{X). Much freedom is permitted at this 
step, but what we found to work best is to assign the least 
significant bit of the interval number to Si(X)j the second 
bit to 52 (-X"), and so on up to the most significant bit to 
S,{X). 

The slice estimator functions 5i,..5(X', . • •) sire con- 
structed from the slices Si,,,s[X) and from the joint prob- 
ability density /A^,x'{aJ,a;'). Each estimator Si evaluates 
whether Si{X) = 0 or Si{X) = 1 is more likely condition- 
ally on the arguments given to the estimator, namely X' 
and the previous slices 5;<<(X). 

In the present example, Alice's and Bob's bits are al- 
most uncorrected when correcting slices 1 and 2. The bi- 
nary correction algorithm does not have to be used at this 
point - it is enough for AUce to entirely reveal Si(X) and 
S2(X) for the whole string. Then, slice 3 on Alice's side 
and the slice estimator 3 on Bob's side produce two bit 
strings that match 76% of the time - it is thus possible to 
proceed with error correction using a binary correction al- 
gorithm. Note that the bit strings would be less correlated 
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if the knowledge of Si{X) and S2{X) was not brought to 
Bob. Then for slice 4 (resp. slice 5), Alice's and Bob's 
string match 98% (resp. 99.999%) of the time, for which 
the binary correction will disclose only a small amount 
of information. Again, the knowledge of slices 1-3 helped 
Bob accurately estimate slice 4, which in turn helped him 
estimate slice 5. 

As a result of this 5-step correction, Alice and Bob 
share a string of bits whose entropy is ^r(5i...5) = 4.8 bits 
per raw key element. Assuming a perfect binary correction 
algorithm, about 3 bits per raw key elements were dis- 
closed. Roughly speaking, the net effect is thus 4.8 — 3 = 
L8 bit of secret information per raw key element after 
privacy amplification (which is to be compared with the 
2 bits per key element as given by Shannon's formula). 

This is of course only an example. More elaborate con- 
structions can be performed, such as gathering d Gaussian 
key elements at once. In fact, it was shown in [24] that 
the disclosed information reaches the Shannon bound as 
(f -> oo, just like for instance data compression works best 
for asymptotically large block sizes. 

Now that we showed how quantum cryptography (fol- 
lowed by reconciUation and privacy amplification) can work 
with continuous variables, let us investigate another appli- 
cation of continuous variables to a special kind of quantum 
cloning machines. 



4 Phase-Conjugated Inputs Quantum Cloning 
Machines 

It has been shown that an antiparailel pair of qubits is in- 
trinsically more informative than a pair of parallel qubits 
if the goal is to encode a direction in space [18]. Simi- 
larly for quantum continuous variables, one can show that 
more information can be encoded in a pair of phase- con- 
jugated coherent states |V^)|^*) than in two identical repli- 
cas [9]r Following on these ideas, we present here a 
phase-conjugated input (PCI) quantum cloning machine, 
that is, a transformation which taking as input N replicas 
of a coherent state and N* replicas of its complex con- 
jugate IV'*), produces M optimal clones of |^) [11]. Again 
we will require that all the clones are treated equally, and 
that the doner is co variant with respect to both displace- 
ments and rotations in phase space. As a matter of fact, it. 
turns out that such a transformation can be implemented 
optimally using a sequence of beani-splitters, a single non- 
linear medium, and another sequence of beam-splitters, 
just as in the case of standard cloning. The procedure is 
the following (see Fig. 2): 

(i) Concentrate the A'' replicas of |^) stored in the N- 
modes {c(} (/ = 0 . . . A^- 1) into a single mode ai, resulting 
in a coherent state of amplitude ^/N tp. This operation can 
be performed with a network of beam-splitters achieving 
a iV-mode Discrete Fourier Transform (DFT)[6]. We get: 



\9>- 



1 



N-l 



(20) 
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Fig. 2. PCI doner that produces M clones and M' anti-clones 
from N rephcas of |^) and N' repUcas of |^*). Modes are 
concentrated and distributed by Discrete Fotirier IVansform 
(DFT). 



and iV— 1 vacuum modes. Similarly, with a N'-mode DFT, 
concentrate the iV' replicas of [V'*) stored in the JV' modes 
{di} (/ = 0 . . . iV' ~ 1) into a single mode 02. This results 
in a coherent state of amplitude 's/W\j>* . We have: 



02 



(21) 



(ii) Apply the following transformation on the modes 
ai and aa, resulting in modes bi and 62 defined by 



bi ^VGai-hVG-lal, 
62 = \/C?-lal-f \/Ga2, 



where 



with 



\/N'M' - VnM 
N'-N 



M' - M = N' - N. 



(22) 



(23) 



(24) 



For obvious reasons, we call this transformation a 'phase- 
conjugated input amplification' (PCIA). 

(iii) Distribute the output mode 61 into M clones {c|} 
(? = 0 . . . M - 1) with a M-mode DFT: 



1 



(25) 



where {vk} {k = 1... .M — 1) denote M — I additional 
vacuum modes. It is readily verified that this procedure 
yields M clones of . Interestingly, the amplitude 62 of 
the other output of the PCIA has a mean value y/Wij;*. 
Therefore, it can be used to produce M' phase-conjugated 
clones (or anti-clones) of jV'), {d\} (/ = 0 . . . M' — 1), using 
a M'-mode DFT: 



1 



:(t2+e' 



(26) 



where {wk} (A: = 1 . . . M' - 1) denote M' - 1 additional 
vacuum modes. 

Some algebra shows that this procedure is optimal to 
produce M clones, and that the additional Af' anti-clones 
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are also optimal[ll]. Furthermore, since the step (ii) of 
our procedure is linear and phase-insensitive, the resulting 
PCI doner is covariant with respect to translations and 
rotations of the state to be copied: all coherent states are 
copied equally well, and the cloning-induced noise is the 
same for all quadratures. 

It is straightforward to calculate the noise of the clones 
and anti-clones: 



As expected, the variance of the output clones exceeds 1/2, 
reflecting that perfect cloning (anti-cloning) is indeed im- 
possible. Instead, they suffer from a thermal noise with a 
mean number of photons given by {nth) = (G - 1)/M. In 
other words, their P-function [21] is a Gaussian distribu- 
tion 



(28) 



rather than a Dirac distribution P{(,C) = S^^H^ - ^). 



4.1 Balanced phase-conjugated inputs doner 

Consider now the balanced case {N =: N^^ M = M'), 
for which simple expressions of the noise variance and 
the fidelity can be obtained. We then have G = (M -h 
Nf/mN, giving 



(^c;)-=(^d;)^ = i + (^l^:^. 



and 



Jn,m — 



1 + (nth) 4M2/ir + (M - NY ' 



(29) 



(30) 



Let us compare these quantities to the variance and 
fidelity of a 2N M usual cloning machine, as obtained 
by replacing N into 27V in Eqs. (8) and Eq.(9). Of course, 
in the trivial case where M — 2N, standard cloning can be 
achieved perfectly, while the balanced PCI doner yields an 
additional variance (nth) ~ 1/(16//). However, whenever 
M > 2N + 1, the {^) M PCI doner outperforms the 
standard 27V M cloning machine. Also, comparatively 
more anti-clones with a higher fidelity are produced with 
the PCI doner. Indeed, a standard ,2iV — )■ M cloning ma- 
chine produces M — IN anti-clones of fidelity 2N/2N -f- 1, 
which is actually the fidelity of an optimal measurement 
of 27V replicas of |^), whereas a PCI doner produces M 
anti-clones with a higher fidelity, as given by Eq. (30). In 
particular, for 7lf oo, we see from Eq, (29) that the ad- 
ditional noise induced by a PCI doner is 1/47V, that is, one 
half of the noise induced by a standard 27V -> oo doner 
(i. e., 1/27V). In this case, the output of the PCIA can be 
considered as classical and the underlying process appears 



to be equivalent to. a measurement. This reflects that more 
classical information can be encoded in TV pairs of phase- 
conjugated repUcas of a coherent state rather than in 27V 
identical replicas, a result which was proven for TV = 1 in 
[9]. More generally, in the unbalanced case (TV ^ TV'), it is 
reawiily checked, using Eq.(23), that the optimal measure- 
ment results in a noise that is equal to that obtained by 
measuring (\/TV -|- VTV')^ identical replicas of the input, 
in the absence of phase-conjugated inputs. 



^27) 4.2 Unbalanced phase-conjugated inputs doner 



As we have just shown, the balanced PCI doner results 
in better cloning fideUties than a standard doner. More 
generally, we may ask the following question: in order to 
produce M clones of a coherent state |^) fi:om a fixed to- 
tal number n of input modes, TV of which being in the 
coherent state |0) and TV' of which being in the phase- 
conjugated state IV**), what is the phase-conjugate frac- 
tion a = N^/n that minimizes the error variances of the 
clones? 

From Eq. (22), we see that for fixed values of the total 
number of input replicas n and number of output clones 
the gain G (and thus the noise of the clones (nth)) 
only depends on a and varies as 



2a -1 



(31) 



In Fig. 3, the value of \/{nth) is plotted as a function of 
a for n = 8 and different values of Tlf > n. In the trivial 
case where Tlf = n = 8, the minimum additional vari- 
ance is of course zero, and is obtained for a = 0. The 
cloning transformation is then just the identity. However, 
when M > n -{- 1, using phase-conjugated input modes 
yields lower variances than standard cloning if a is cor- 
rectly chosen (the lowest variance is then always attained 
for a 0). Remarkably, the value of a achieving the mini- 
mum variance is not equal to 1/2 for finite TW, that is the 
optimal input partition contains more replicas than anti- 
replicas. In the limit of large Tlf , however, the number of 
anti-replicas achieving the lowest variances tends to n/2, 
and the curve G{a) tends to a symmetric curve around 
a ~ 1/2. This behavior was expected, since TW = oo cor- 
responds to a measurement [17,10] and we expect that 
measuring the value of rj) from TV replicas of |^) and TV' 
replicas of j-^*) is equivalent to a cloning transformation 
starting frorii TV' replicas of and TV replicas of 
So, we conclude that the optimal measurement is achieved 
with balanced inputs (TV = TV'), as. previously mentioned. 
Finally, in the case where 0 = 1, the transformation con- 
sists in producing M clones of from n replicas of (V'*)- 
This is just phase-conjugation, for which we know that 
the best strategy is to perform a measurement [9]. The 
additional variance is therefore given by 1/n, which does 
not depend on M. This explains why the curves converge 
all to the same point at a = 1. 
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Define the Gaussian states |^ar(r, <Tx)) such that (x) = 
r, (p) = 0, Ax^ = al and Ap^ ~ l/4(r2. Similarly, let 
\'ipp{r,(Tp)) be such that (x) = 0, {p) = r, ^ar^ = l/4cr2 
and Ap^ = a^. With the eigenstates |a:) of our states 
have the following scalar products: 



Fig. 3. Cloning-induced noise standard deviation y/{nth) as a 
function of the phase-conjugate fraction a = AT'/nj for n = 8 
and several values of M/n. 



— e p e 



(32) 
(33) 



The density matrices and pp are defined as: 



#«{r,(r.))(V.('-.«^«)l (34) 



and 



5 Conclusions 

In summary, we have studied continuous- variable cloning 
machines, which produce several copies from one or more 
replicas of an arbitrary coherent state. We have derived 
the optimal fidelity of such doners, as well as the ac- 
tual cloning transformations and the potential methods 
to implement them. We have then proposed a quantum 
key distribution protocol relying on continuous variables, 
and shown how to apply reconcilation and privacy am- 
plification to the generated continuous key elements. We 
have investigated the balance between the information 
gained by the eavesdropper and that received by the au- 
thorized receiver, using cloning as an optimal individual 
eavesdropping strategy. Finadly, we have analyzed a new 
class of continuous- variable cloning machines, which ad- 
mit phase-conjugated inputs in addition to the normal in- 
puts. By exploiting the antiunitarity of phase-conjugation, 
these new doners can beat the standard doners in some 
cases. There is in general some non-zero optimal phase- 
conjugate input fraction in order to maximize the cloning 
fidelity. As a conclusion, it should be emphasized that 
these phase-conjugated inputs doners do not extend on a 
qubit-based concept, in contrast with all previously devel- 
oped information-theoretic processes for continuous quan- 
tum variables. Such a qubit doner, admitting additional 
flipped qubits as inputs, has yet to be found. 
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the IST-FET-QJPC European programme. S. I. acknowl- 
edges support from the Belgian FRIA foundation. G. V. 
A. acknowledges support from the Communaute Frangaise 
de Belgique under an Action de Recherche Concertee. 



A Density Matrices of Encoding Rules 

In this Appendix, we would like to give further details 
regarding the protocol defined in section 3. In particular, 
we will prove the equality of the density matrices px and 
Pp corresponding to Alice's two encoding rules provided 
that eq. (13) is verified. 



/.+00 ^-r''/2Sl 

/>P = j^^ dr IV'p(r,crp))(V>p(r,^p)| (35) 

Let us now calculate and (xjpp|a;') in order to 

show that px ^ pp. 



/ + 00 
dr 
-CO 



+CO g-rV2^2-(3:-r)V4(Tj-(ar'-.r)V4cr2 



(36) 



The exponent of e in the above equation can be rewritten 
as 



V 2(<Tg+i?3) J X^ -h X' 



(37)- 



After integration, this yields 



(38) 



For ppj we have 



/ + 00 
dr 
■OO 



2ap_ 



(39) 



Taking (13) into account, we have (ajj/Ja-la;') = {x\pp\x*) 
for all Xj x'. Therefore, p^ — pp. 
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Reconciliation of a Quantum-Distributed Gaussian 

Key 

Gilles Vein Assche, Jean Caxdinal and Nicolas J. Cerf 



Abstract — Two parties, Alice and Bob, wish to distill a bi- 
nary secret key out of a list of Gaussian variables that were 
distributed with the help of quantum cryptography. We 
present a novel construction that allows the legitimate par- 
ties to get equal strings out of correlated variables, using a 
classical channel, with as few leaked information as possible. 
This opens the way to securely correcting non-binary key el- 
^^ements. In particular, the construction is refined to the case 
^^of Gaussian-distributed variables as it applies directly to a 
quantum cryptography protocol developed recently. 

Keywords — Cryptography, secret-key agreement, privacy 
^ amplification, quantum secret key distribution. 



I. Introduction 



With the advent of quantum cryptography, it is possible 
CNfor two parties, Ahce and Bob, to securely agree on secret 
^information that shall later be used as a key to encrypt 
O^^^^g^ [2], [3], [4]. The quantum channel, which Al- 
rOice and Bob use to create a secret key, is not deemed to 
o be perfect. Noise will necessarily make Alice's and Bob's 



values different. Furthermore, laws of quantum mechanics 



pimply that eavesdropping also causes extra discrepancies. 
^^To overcome this, one can correct errors by using some in- 
^^teractive reconciliation protocol, carried out over a public 
Ph authenticated channel [5], [6]. Yet, this does not entirely 
w solve the problem as an eavesdropper can gain some infor- 
C/3mation about the key while Alice and Bob exchange their 
J-^ public reconcihation messages. Fortunately, such gained 
^information can then be wiped out, at the cost of a re- 
ITjjduction in the secret key length, using another protocol 
called privacy amplification [7], [8]. This paper focuses on 
Cj a specific extention of reconciliation protocols in the case 
of Gaussian-distributed key elements. 

Current reconciliation and privacy amplification proto- 
cols are aimed at correcting and distillating strings of bits. 
Their purpose is to complement existing quantum key dis- 
tribution schemes, which enable Alice and Bob to share a 
common random string of elements from a. binary alphabet. 
However, a recently proposed crypto-scheme shows hpw to 
distribute a secret key composed of Gaussian-distributed 
elenients instead of bits [9]. Not surprisingly^ the exist- 
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ing reconciliation and privacy amplification protocols are 
not well suited for this kind of application. There is thus 
a need for extending such protocols to be able to process 

continuous keys. 

The core material presented in this paper assumes that 
Alice and Bob initially share some correlated list of con- 
tinuous values. Our strategy is as follows. First, Alice 
and Bob exchange public reconciliation messages over an 
authenticated channel. Our extended protocol is designed 
to turn Alice's and Bob's values into identical strings of 
bits. Notice that the input is a list of continuous variables, 
whereas its output has a discrete nature - our reconciliation 
protocol mixes error correction and continuous- to-discrete 
conversion purposes. Then, Alice and Bob perform privacy 
amplification. Since both the input and the output of the 
privacy amplification step are discrete, existing protocols 
can be used without any change. 

The outline of this paper is as follows. First, we give an 
overview of the Gaussian key quantum distribution scheme 
[9]. Then, we discuss our choices in terms of continuous vs 
discrete components at various stages of the present proto- 
col. In the subsequent section, we introduce the concept of 
sliced error correction as a framework on which our recon- 
ciliation protocol is based. We then analyze this protocol 
in terms of leaked information. Finally, we display specific 
results when the protocol is used to extract secret informa- 
tion out of correlated Gaussian values. 

II. Quantum Distribution of a -Gaussian Key 

Quantum cryptography-— or, more precisely, quantum 
key distribution — is a technique that allows two remote 
parties to share secret random information (a secret key) 
that can be used for exchanging encrypted information [1], 
[2], [3], [4]. The security of such a process fundamentally 
relies on the fact that the measurement of incompatible 
variables inevitably affects the state of a quantum system. 
The basic idea is the following. A legitimate user (Alice) 

..sends random key elements to another user (Bob) using 
either one of two sets of quantum carriers of information. 

. Alice randomly chooses one of the two sets of carriers, , en- 
codes a random key element using this set, and sends it 
to Bob. On his side, Bob measures the received quantum 
state by guessing which set of carriers Alice chose. The 
sets of information carriers are designed in such a way that 
measuring the wrong set yields random uncorrected re- 
sults. Therefore, Bob will measure correctly only half of 
the key elements Alice sent him, not knowing which ones 
are wrong. After the process, Alice will reveal which set 
of carriers she chose for each key element, and Bob will be 
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able to discard all the wrong rneaaiirexrients. 

An eavesdropper (Eve) gan. of bourse mtercept quantum 
carriers and try to measure, them. However, like Bob, Eve 
does not know which set of carriers Alice chose for each 
key element. A measurement lyjU yield irrelevant results 
about half of the time, and thereby disturb the sate of the 
carrier. Not knowing if ;she , has .a correct value, Eve can 
decide to retransmit or not a quantum carrier with the key 
element she obtained. Discarding the element is useless for 
Eve since this sample will not used by Alice and Bob. 
However, if she does retransmit ,the. state (even though it 
is wrong half of the time), Alice and Bob can detect her 
presence by an miusuaJily,hi^h= error. latg.betw^^ their key 
elements. , . 

The quantum key distribution works . because of the ad- 
vantage Bob has over Eye of being able to talk to Alice 
over a classical authenticated channel,,. This allows the 
legitimate users to compare some key elements to detect 
eavesdropping, agree on, a secret .key using a. reconciliation 
protocol, and apply privacy amplification techniques to re- 
duce Eve^s partial knowledge on the final key. 

As an example, some quantum key. distribution protocols 
use as carriers single photons- whose polarization encodes 
the key element. In one.set of carriers,, a binary 0 is encoded 
as a vertical polarization of ; the- emitted photon, whereas 
a binary 1 is. sent with, horizontal polarization. The other 
set of carriers uses 45-degree and 135-degree polarization. 
Of course, measuring, a photon using, the wrong set of po- 
larizjation yields random uncprrelated results and disturbs 
the quantum carrier. \ . i • .,\ ■. ■ . 

Unlike the above example, which, is based on binary in- 
formation, the protocol proposed iin;, [9] uses two sets of car- 
riers that behave essentially likei Gaussian ^ channels. One 
exploits a pair of canonically conjugate continuous vari- 
ables such as the two qu^idratures. JCi and, X2 of the am- 
plitude of a mode of the islectromagnetk fiield [10], which 
behave just like position a? -and momentum p. The uncer- 
tainty relation AXi AX2 > 1/4 then states that it is im- 
possible to measure with full accuracy hath quadratures of 
a single mode, Xi and X2. Alice exploits this property by 
encoding the key elements (random Gaussian samples) as a 
quadrature squeezed state either in Xi or in X2 , in such a 
way that an eavesdropper ignoring which of these two sets 
is used cannot acquire information without disturbing the 
state. 

Simply stated, such states behave like 2D Gaussian dis- 
tributions in the Xi , plane. In set 1, the carriers are 
shaped as A^(a;,cri) x 7/(0, l/4ai) in the Xx,X2 plane, 
where x is the key element Alice wishes to send, and x 
is itself distributed as a Gaussian: x 'y iV(0,Ei). In set 2, 
the carriers are similar but ^Yi and X2 are interchanged, 
iV(0,l/4cr2)x Ar(a;,tT2). 

More formally, creating a state from set 1 requires Alice 
to prepare a squeezed vacuum state such that the fluctua- 
tions of Xi. are squeezed (AA^f = erf < 1/4), and to apply 
a displacement of X^ by an amount equal to the key ele- 
ment X such that {Xi) = x. The quantity al refers here 
to the intrinsic variance of Xi. Conversely, in set 2, Alice 



sends a squeezed state in X2 (A-X"! = < 1/4), whose 
displacement encodes the Gaussian key {X2) = x. Again, 
{X2) has a zero mean and a variance .E2. 

The intrinsic fluctuations of the transmitted states are 
such that Bob's measurement will not give him the exact 
value X chosen by Alice, even in absence of eavesdropping 
and with a perfect measurement apparatus. If set i = 
1,2 is used, the, outcomes of X,- measurements (that can 
be obtained by hompdyne detection) are distributed as a 
Gaussian of variance E? H- since each squeezed state 
giyes an extra contribution of of to the key variance E?. 
Theripfore, we can model the transmission as a Gaussian 
chaimel with a signal-tp-noise ratio (SNR) equal to Ef/cr?, 

An important . requirement of the protocol is to make 
impossible for Eve to be able to infer which set Alice 
used.! For this, measuring the correct or the wrong set 
must yield statistiGally indistinguishable results. If, in con- 
trast, Eve was able to detect (even not perfectly) that she 
measured, the wrong set, then she could fake an attenua- 
tion by discarding wrong key elements and retransmitting 
the correct ones. This requirement can be expressed [9] as 
1 4- ^11 al = 1 + S2/0-2. This means that the SNR is the 
same for both set 1 and set 2, and the information rate is 
/ = ^log(l -h T.I/(tI), We proved in [9] that, in case of 
eavesdropping, the optimal strategy on individual carriers 
(using cloning tri9chines) will give Eve an expected infor- 
mation rate equa,l tp the expected information rate Bob will 
Ipse Qii . his side,. The sum of Bob's and Eve's information 
rate is thereby a^ constant: /b + -Te /. 
...T^he requirement; of equal distributions is strong in the 
sense that Alice .must s^trictly respect x ~ iV(0,Ei or 2)- 
She; may not.. choose a niapping x{k) horn some discrete 
alphabet to R that satisfies Aa: = Si or 2. The resulting 
distributipn would npt be Gaussian, and Eve would be able 
to infer whetl^er she measured the correct set of carriers. 
It .19 therfore. essential .for Alice and Bob to exchange: a 
fully cpntinuous raw key through the quantum channel. 
Extracting discrete information, which" is the scope of this 
paper, can only appear in a later stage, namely during 
reconciliation and privacy amplification. 

III. Discrete vs Continuous Variables 

It is shown in [9] that working with continuous quantum 
states as carriers of information naturally leads to express- 
ing information in a continuous form as well. It was thus 
tempting to generalize the whole key distribution process 
with continuous variables, including reconciliation and pri- 
vacy amplification, to get a continuous secret key. However, 
encrypting a message with a continuous Vernam-like cipher 
would probably suffer from incompatibilities or inefficien- 
cies with regard to current technologies and applications. 
Furthermore, it is much more convenient to rely on the 
equality of Alice's and Bob's values in the discrete case, 
rather than dealing with bounded errors oii real numbers. 

Because modern communication technologies are de- 
signed to carry zeroes and ones, we decided to transform 
the sifted Gaussian key values into a discrete key. With 
the choice of a discrete final key as starting point, we de- 
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duce that, at the very end of the privacy amplification step, 
the two communicating parties must get discrete variables.. 
Yet, we have to show why we chose discrete reconciliation 
messages and a discrete output after reconciliation. 

Because of the finiteness of the (public authenticated) 
reconcihation channel capacity, exchanged reconciliation 
messages are either discrete or noisy continuous values. 
The latter case introduces additional noise into the proto- 
col. This quite contradicts our requirements, as we would 
precisely expect from an error correction protocol to re- 
duce differences between Alice *s and Bob's raw key ele- 
ments. Furthermore, a noisy continuous reconciliation mes- 
sage would not be able to benefit from the authentication 
feature of the reconciliation channel. Hence, discrete rec- 
onciliation messages are preferred. 

The choice of a discrete final key also induces discrete 
effects in the protocols, which makes natural the choice 
of a continuous-to-discrete conversion during reconcilia- 
tion. Call X the original Gaussian value that Alice sent, 
z' the Gaussian value as received by Bob and k the re- 
sulting discrete key element. The process of reconciliation 
and privacy amplification can be summarized as functions 
* = fAix, Ci, C2, . . . , C^) and k = fB{x\ Ci, C2, . . . , Cm), 
where the (C,) indicate the exchanged messages. As both A; 
and (C) are to be taken in some finite set, these two func- 
tions define each a finite family of subsets of values that give 
the same result: SkCi...Cm = * /a (a;, Ci , , . . , Cm) = k} 
^^Sic,...c^=W ' /b(x',Ci,...,C^) = A:}. The iden- 
tification of the subset in which x (or x') lies is the only 
data of interest - and can be expressed using discrete vari- 
ables - whereas the value within that subset does not affect 
the result and can merely be considered as noise. 

For all the reasons stated above, our extended reconcil- 
iation protocol mainly consists of exchanging discrete in- 
formation between the two communicating parties so that 
they can deduce the same discrete representation from the 
real values they share. 

IV. Sliced Error Correction 

Sliced error correction is a generic reconciliation proto- 
col that corrects strings of non-binary elements. It gives, 
with high probability, two communicating parties (Alice 
and Bob) equal binary digits from a list of correlated val- 
ues. Just like other error correction protocols, it makes 
use of a public authenticated channel. The underlying idea 
is to convert Alice's and Bob's values into strings of bits, 
apply a bitwise correction algorithm as a primitive (e.g., 
Cascade [5]) and taJce advantage of all ayailable informa- 
tion to minimize the number of exchanged reconciliation 
messages. 

The key feature of this generic protocol is that it enables 
Alice and Bob to correct errors that are not modeled using 
a binary, symmetric channel. Instead, by carefully supply- 
ing slice and slice estimator functions described below, one 
can deal with errors whose severity is intermediate between 
perfect equality (a correct bit) and full error (a flipped bit) . 
An example for an intermediately severe error would be a 
5 becoming either a 4 or a 6 in a decimal alphabet. And 



of course, an error on a Gaussian key element can have a 
degree of severity depending on the difference between the 
original and the noisy value, 

Let us now assume that Alice and Bob both have a list 
of values, namely xi xi for Alice and x[ ... x[ for 
Bob. Any distribution p(x,x') is acceptable, as long as 
I{X;X') > 0 (where X is the random variable associated 
to Alice's key element and X' to Bob's). To be general, it 
is possible for Alice and Bob to process multi-dimensional 
key values rather than individual ones. To this end, Alice 
and Bob may agree on a number d of dimensions and group 
their values into d-dimensional vectors. In the subsequent 
paragraphs, x denotes one of Alice's (possibly vectorial) 
values while x' denotes one of Bob's. Alice's (resp. Bob's) 
raw key space is defined as the set of possible d-dimensional 
values X (resp. x'). In the case of Gaussian-distributed 
values the raw key space is R^, 

The first ingredients we need to define are the slices. A 
slice 5(x) is a function from Alice's raw key space to the set 
{0, 1}. A set of slices Si{x) . . , Sm{x) is chosen so that the 
vector S(x) = (Si(x), . . .5m(aj)) implicitly defines a map- 
ping from Ahce's raw key space to a discrete alphabet of 
size 2"* (or less if some combinations are left out) . With- 
out describing the entire protocol yet, let us say that Alice 
will convert her values into binary digits using the defined 
slices. 

On his side, Bob has a set of slice estimators 5i(x'), 
S2{x',Si{x)) ... Sm{x\Si{x),...,Sm^i(x)). Each sUce es- 
timator defines a mapping from Bob's raw key space and 
Alice's slices of lower indexes to the set {0, 1}. As explained 
below, an estimator .§,-(x', 5i(x), . . .5,«i(x)) will be used 
by Bob as his best guess on the value of Si{x) given the 
(already corrected, therefore known) previous binary val- 
ues Si{x) . . . Si-i{x). 

The construction of slices Si{x) depends on the nature of 
the raw key space. These aspects are covered in a following 
section, where we apply the sliced error correction to our 
Gaussian key elements. 

Let us now describe our generic protocol. 

• From her list of / (possibly vectorial) values xi...xt, 
Alice creates m strings of bits using the defined slices 
(5i(xi),...,5i(x/))...(5„.(xi),...,S^(xO). 

• Bob constructs a string of bits from his values x^ . . . x{ 
using his slice estimator §1 : (5i (xi), . . . , §1 (xj)). 

• Alice and Bob make use of a chosen bitwise correction 
protocol (e.g., Cascade [5]) so that Bob aligns his bit values 
on Alice's. 

• For each subsequent slice i, 2 < i < m, Bob constructs a 
new string of bits using his slice estimator Si applied to his 
values x[ . . .x[ and taking into account the correct, bit val- 
ues of the previous slices 5i(xi), . .., 52(xi), 5i_i(x/). 
Again, Alice and Bob align their bit values using the chosen 
bitwise correction protocol. 

• For Alice, the resulting bitstring is simply the concatena- 
tion of the mxl slice values (5i(xi), . . . , 52(xi), . . . , Smi^l)) 
as in step 1. For Bob, the shared bitstring is the same as 
Alice's, obtained from the previous steps. 
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A. Underlying Idea . , .;. ' ! ' 

The algorithms proposed m [llj; [5],; (dig], [13], [14] make 
use of parity check bits to perform i a^diiehotdmy, find an 
error and correct it. The nice thing; about binary digits is 
the obvious fact that when a wrong bit' is found, flipping it 
is correcting it. The same is not true for other alphabets. 
For an alphabet A of size n, it; may be -tempting to find 
errors by usin^ ihod n parity checks, the'most direct gen- 
eralization of its binary c^uhterpaR? This would require 
that Ahce sends log n bits for each pi^^ reducing 
the secrecy by the sarri^'amouftt.' Howievef; the error may 
be less severe than a coniplet^Iy wrdng i^ymTDol: A symbol a 
may simply be changed to a heighbonng'^ymbbl b as for in- 
stance the joint probability V(a,' miay c^^^^^ significaht 
mass only when a - I < dH- 1. 'The exchanged informa- 
tion needed to correct an error should 1)e 6f 'order H(A\B)\ 
the entropy of AliceV symbol Mowiiig^ Rather 
than disclosing log n bits for evefy^ pi^^^ \ve nefed to 

be finer-grained. By iisiiig'slic^'/ was benign 
enough to be corrected in one sl'ic^^^^^ induce errors 

in subsequent slices.' We thuS 'avoid disclosing excessive in- 
formation because of that- particulai: etfdf 'in subsequent 
slices. ' --''-J'- ''" • 

B, Sliced Error Correction ' as a Uriiijefsal 'Tdol 

. A natural target goal of;sliced erroj cOnection is to cor- 
rect errors by. disclosing asi few. information; as possible on 
the key shared ;by AUce^and. Bob. However,, one does npt 
expect a protocol running with strings ofifinite. length and 
using finite computing resources, to achieve the .Shannon 
bound exactly. Yetj. we.show in thessubsequent paragraphs 
that sliced error correction is indeed asymptotically effi- 
cient, that is, it reaches the Shannoui bound in terms of 
leaked information when the number of, dimensions rf:(i.e., 
the input alphabet size) g6es.to.infinityv This result makes 
use of the asymptotic .eq^iipajtition-i property = [15] and is 
pretty. much in line with. similar. information theory results. 

For simplicity, and without loss of generality, we now 
consider discrete raw key spaces. The outline of the proof 
is as follows. Assume that the number of dimensions d 
is very large. Stated otherwise, Alice and Bob create a 
string whose elements are vectors of raw key values with 
high dimensionality. The number of slices m needed to 
encode grows about hnearly with d, as m w dH{X). 
Conversely, the length / of the string does not matter, and 
can remain finite. By the asymptotic equipartition prop- 
erty (AEP), one can only consider the typical values oid- 
dimensional sequences x^, which are almost uniformly dis- 
tributed - the density of non- typical cases vanishes. There 
are about T^^^^^ such typical values. When Bob receives 
a value x' , he must guess among about 2^^^^'^') possible 
values from Alice in the set {X^\x^^}. This results from the 
AEP apphed to the jointly typical values (X, X% Bringing 
the knowledge of a slice Si{X) to Bob cuts approximately 
in half the number of remaining possibilities. Hence, after 
revealing about dH(X\X') slices, Bob should know Alice's 
value with almost certainty. 



Lemma 1: Let Z = {Zi... Zj^) a list of N random bit 
strings of arbitrary length, independently and uniformly 
distributed. The probability that a given string from the 
list, say Zj, can be uniquely identified in Z by specifying 
only the first r bits is (1 - 2-'')^-^ 

Proof: The probability of Zj being uniquely identi- 
fiable from its first r bits is the probability that no string 
among the - 1 other ones in the list starts with the same 
pattern.. Hence, this probability is (1 - 2'"'')^"^ . ■ 

^Lemma 2: Let X and X' be random variables dis- 
tributed as p{x,x^) and Ai'^^X.X') be the set of jointly 
typical sequences (X^,A'''') of length d [15]. Let a;"* be 
some fixed sequence in the set Ai^^ (X^) of typical sequences 
ih thi^' marginal distribution of X' . Define Ai'^\x\x^'^) = 
{^:\ <{x<',y') ^Ai''\x,X% Then, < 

' Proof: 

. ^ ^d.;. 

Hence, (^^'^^(Xl.i"')! < 2<'.(«(^l^')+2'). ■ 
• Lemma 3:. Suppose that Alice sends a random sequence 

;f* of length <f arid Bob receives a correlated sequence X , 
whi^h are jointly typical (x^,a;'^) e A^^\x,X'). Let m = 
\dH\^X)'^ 't\, L^t the m slices S{X) be chosen randomly 
u^iiig *a uniform! distributioli independently for all input 
values; Let T ±± \dH{X\X') + 2e - loge + 1]. Then Ve.> 
0 3D such that \/d D, Bob can recover X^ given Z'^ and 
Si (X) . . . Sr {X) With a probability of identification failure 
Pi < e. 

Proof: Alice and Bob agree on a random S{X). As- 
sume that they draw sequences x^ and x'^ that fulfill the 
typicality conditions above. For the value received, Bob 
prepares a list of guesses: {x^ E Ai^\x\x['^)}, From 
Lemma 2, this list contains no more than N < 2^^(^l-^')+2£ 
elements. Alice reveals r slice values, with r > dH{X\X^)-\- 
2e - loge -h 1. From Lemma 1, the probabihty that Bob is 
unable to correctly identify the correct string is bounded 

as < 1- (1^ 2-^^W^V2.+loge-ly2^^W 

quantity goes to 1— e-"^/^ when d -^ oo, and 1-e***^/^ < e/2 
for e > 0. Therefore, 3D such that Pi < e for all d.> D: ■ 
The above discussion determines the underlying . error 
correction protocol. Alice and Bob use a trivial allror- 
no thing correction protocol: - Alice entirely reveals slices 
Si{X) for 1 < i < r and does not reveal anything for 
other slices. (In practice, however, d is finite and the all- 
or-nothing correction is not appropriate: One must thus 
make use of a more elaborate binary correction protocol.) 
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Theorem 1: Sliced error correction, together with an all- 
or-nothing correction protocol, leaks an amount of infor- 
mation that is asymptotically close to H{X\X^) as d-¥ .oo, 
with a probability of failure that can be naade as small as 
desired. 

Proof: Lemma 3 states that lim<i_^oo dH(x\x7 J ~ ^' 
Regarding the probability of failure, there are two. sources 
of possible failure: the failure of identification Pi and the 
fact that (x^a;'^) ^ Ai'^^X.X'). From Lemma 3 and 
from the AEP, both probabilities are upper bounded by 
c. Therefore, the total failure probability behaves as 0(e) 
when € 0. ■ 

V. Analysis of Sliced Error Correction 

The net amount of secret information that Alice and 
Bob can rely on after correction and privacy amplification 
is determined by both the entropy of the slices and the 
leaked information in the reconciliation messages. We now 
analyze these quantities and derive an explicit construction 
for slice estimators. 

A, Net Amount of Secret Information 

The amount of information shared by Alice and Bob at 
the end of the reconciliation protocol is H{S{X)). This is 
simply because Alice and Bob end up with identical binary 
values. This entropy can be made arbitrarily large simply 
by cutting the raw key space in an arbitrarily large number 
m of slices. However, when H{S{X)) > IiX;X*), not aU 
slices are significant and further error correction is required, 
resulting in additional leaked information. A trade oiF must 
thus be found. 

The error correction is based on a chosen binary er- 
ror correction protocol. In [5], the optimality criterion 
states, among other things, that the disclosed information 
Ie should be comparable to lH{A\B)y where I is the length 
of the string and where H{A\B) is the per-symbol condi- 
tional entropy. In the special case of a binary symmetric 
channel with error probability c, it reads H{A\B) = /i(e), 
with ^(e) = -e log e - (1 - e) log(l - e). For the algorithm 
Cascade [5], we can expect that lim/c^oo = 1 + ^ for 
some small overhead factor 

We will consider that running the binary correction pro- 
tocol reveals a H{Si{X)\Si{X' ,Si{X), . , . ,Si^i{X)))-hit 
function of S(X). In the subsequent paragraphs, we drop 
the ^ factor because our interest is mainly focused on the 
slicing construction rather than on the underlying primi- 
tive. 

Definition 1: The total disclosed information Id =. 
I{S[X)\M) is the expected information that an eavesdrop- 
per acquires about S{X) from the exchanged reconciliation 
. messages, collectively denoted M.. 

Proposition 1: In case of one-way communication. (Alice 
to Bob), the total disclosed information is lower bounded 

Id>H{S{X)\X'), 
Proof: M{S{X)) depends only on Alice's slices 
and therefore, H(M\S{X)) = 0. Using the messages M 
and his own value X', Bob can reconstruct S{X)\ hence 



H{S{X)\MX') = 0. Therefore, 

lD'-H{S{X)\r) 

= H{M) + H(X') - H[S{X),X') 

>H(M,X')^H{S{X),X') 

= H(S(X),M, X') - H{S{X), X') > 0. 

■ 

Proposition 2: For sliced error correction, the total dis- 
closed information is upper bounded as 

lD<YlH{Si{X) I Si{X',SiiX),...,Si.i{X))). (1) 

i 

Proof: Each use of the underlying binary correction 
protocol leaks H{Si{X)\Si{X\Si{X),. . ,,Si^,{X))) bits 
of information about S{X). In the worst case, the leaked 
information is uniformly distributed and independent from 
slice to slice, and must thus be summed up. ■ 

One of the main results of [8] states that if Eve gains a 
t-bit eavesdropping function V from a n-bit string shared 
by Alice and Bob, privacy amplification using a universal 
class of hash functions can give the legitimate parties a 
bit secret key K (where r = n - ^ - s, with Q < s <n — t a, 
security parameter) through the use of the randomly chosen 
function G, such that Eve's expected information is upper 
bounded as I[K;GV) < 2-'/ In 2. 

In our case, the. m x / binary values generated by Alice's 
slices can in average be converted to a IH {S{X))-hit string, 
thus E[n] = IH{S{X)), On the other hand, Eve gets a llo- 
bit eavesdropping function about the key, giving E[t] = 
II D ' Therefore, the expected number of bits Alice and Bob 
can distill per raw key element is equal to H{S{X)) -Id — 
J. For this reason, the design criteria of slices will be to 
maximize the expression H{S(X)) - Id- 

B. Information Leakage in Terms of Binary Error Rates 

The amount of leaked information in each use of the 
underlying protocol can be expressed in an. easier way than 
equation (1) by simply using e^-, the probability of error 
when correcting slice i. 

Proposition 3: The total disclosed information is upper 
bounded as /p < /e = h[ti). 

Proof: For a binary alphabet, Fano's inequality [15] 
states that 

H{Si{X) I Si{X',S^(X), < h{ei). 

The conclusion follows from Prop. 2. ■ 
In order to give an explicit expression for e,-, we must 

first define subsets of Alice's and Bob's raw key spaces. 
Definition 2: Let us define a subset of the joint domain 

'. Vf,-s,={{x\x') : Si{x) = a A Si{x',x)^h), 

where Si{x',x) summarizes Si(x' ,Si(x), . . . ,Si-i{x)). 
With such a set, we define the associated probability: 

Ps<si= f P{x,x')dxdx\ 
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Other symbols, such V^^fg^^^^ and the associated proba- 
bUity P^^J^^§^i are constructed using the same pattern. 

The error probability in slice i can then be expressed as 
the probability that Bob's slice estimator yields a result 
different from Ahce's slice: 

g. poi , pio 

C, Maximum Likelihood Slice Estimators 

We now give an expHcit construction for slice estimators 
by minimizing the binary error rates. It turns out that this 
construction reduces to the maximum likelihood estimator. 

Maximizing the global efficiency of the sHce estimators is 
not a simple task because the efficiency of a slice estimator 
5i recursively depends on all previous estimators 5j<,-. For 
this reason, our goal here is simply to minimize each e,-, of 
which h{ei) is an increasing function for 0 < < by 
acting only on Si, This results in an explicit expression for 
Si{x',Si{x),.,.,Si^i{x)y 

Definition 3: Subsets of Alice's raw key space are defined 
using the following pattern: = {x : Si(x) = The 
associated probability measure becomes a fimction of x': 

Definition 4: Symmetrically, we define subsets of Bob's 
received values using the same kind of pattern. For in- 
stance, B^^'i^ is defined as {x' : Si{x',fii) = b}. 

Lemma 4: An individual probability can be ex- 

panded as a sum of smaller probabihties over all possible 
values Pj^i of the previous slices: 

Lemma 5: Each of these smaller terms can be expanded 

as 

= L........ pt:^M)d^. (3) 

Theorem 2: A slice estimator Si minimizes e,- if it has 
the form 

A(<A,...,.{«|i;«^M>'fci(A „ 

except for cases where the probabilities are equal or over 
some zero-measure set. 

Proof: A slice estimator can make its decision to out- 
put a zero or a one as a function of the previously known 
slices. Therefore, it can be designed to do its best guess 
over a restricted set ^^l;;;^;:;/ independently of the oth- 
ers. To minimize e,- = P^K^ + p^o__, one can thus take 
advantage of the independence of smaller terms in (2) and 
rninimize them individually. 

From equation (3), the terms Pf^ , for a correct 

guess, and P^lZ^^^Si ' ^ "^^ong guess, result from the 
integration of the same function over two different sets. 



namely 8^;;^-^^ and B^;;^^. Therefore, the domain 
of correct guesses should simply cover all subsets in which 
the integrand is larger, and leave the smaller parts to the 
domain of wrong guesses. g 
Equation (4) is simply the maximum hkeUhood principle, 
expressed for slice estimators. 

VI. Correction of Gaussian Key Elements 

We must now deal with the reconciliation of mforma- 
tion from Gaussian-distributed variables X iV(0, E) and 
= X ^ N(Q,a), Let us first compare this prob- 
lem with known transmission schemes, namely quantiza- 
tion and coded modulation. We temporarily leave out the 
slice estimation problem and assume that Bob wants to 
have most information (in ths Shannon sense) about a dis- 
crete value T{X), computed by Alice, given its noisy value 
X', 

In a vector quantization (VQ) system, a random input 
vector X is transmitted over a noiseless discrete channel us- 
ing the index of the closest code-vector in a given codebook. 
The codebook design issue has been extensively studied in 
the VQ hterature [16]. The criterion to optimize in that 
case is the average distortion between X and the set of 
reproduction vectors. In a coded modulation system, a bi- 
nary key k is sent over a continuous noisy channel using 
a vector X belonging to a codebook in a Euclidean space. 
Trellis-coded modulation and lattice-based coded modu- 
lation are instances of this scheme. This latter scheme is 
probably the closest in spirit to our problem, in that a. con- 
tinuous channel is used to transmit a binary key. In these 
two well-studied problems, however, the information sent 
on the channel is chosen by Alice in a codebook, which is 
not true in our case. The block diagrams of these methods 
are shown on Fig. 1. 

It is conjectured that the analyzes of the quantization 
noise in lattices and their channel coding properties [17] 
might be useful in our problem, but we will restrict our- 
selves to the one-dimensional case. The partitioning and 
slice assignment issues for d = 1 are examined next. 

A, Design 

In this section, we present how we designed slices and 
slice estimators for specifically correcting Gaussian raw 
keys. We now assume d = 1, that is, Alice and Bob use 
Gaussian key elements individually. The idea is to divide 
the set of real numbers into intervals and to assign slice val- 
ues to each of these intervals. The slice estimators are then 
derived as most likelihood estimators as explained above. 

For simplicity, the design of the slices was divided into 
two smaller independent problems. First, we cut the set of 
real numbers (Alice's raw key space) into a chosen number 
of intervals - call this process T{X), For the chosen number 
of intervals, we try to maximize I{T(X);X*). Second, we 
assign m binary values to these intervals in such a way that 
slices can be corrected with as few leaked information as 
possible. 
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The process T{X) of dividing the real numbers into t 
intervals is defined by t - 1 variables n . . ,rt-.i. (Note 
that S{X) will be an invertible function of T{X) but for 
the moment we do not yet care about assigning bit values 
to the intervals.) The interval a with I < a < t is then 
delined by the set {x : Ta^i < x < Ta} where tq = -co 
and Tt = +00. The function I{T{X)\X*) was numerically 
maximized under the symmetry constrains Ta = n-o to 
reduce the number of variables to process. 

We chose to maximize I{T{X);X') = H{T{X)) - 
H{T{X)\X*) because this allows Bob to get most of the 
information about T{X) in X^ Note that this formula is 
closely related to H{S{X)) --Id^bs H{S{X)) = H{T{X)) 
and Id > H{T{X)\X'). The quantity H{T{X)\X') mixes 
discrete and continuous components. Its intuitive inter- 
pretation is the following. For a given X\ Bob derives a 
distribution of possible values T{X) and calculates its en- 
tropy, roughly equal to the number of bits Alice has to 
provide him with to recover T{X). Then H{T{X)\X') is 
simply such an entropy averaged over all possible X\ 

The results are displayed in Fig. 2 below. I(T{X);X') 
is bounded from above by log< and goes to | log(l +SNR) 
as * 00. 

Let us detail the expressions we evaluated. The random 
variable X is Gaussian-distributed with variance E^. X* 
is the result of adding a random noise c of variance to 
X. Hence, the random variables X and X' follow the joint 
density function 
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Since I{T{X)iX') = H(T{X)) + H{X') - H{T{X),X'), 
we need to evaluate all these terms. 

H{T{X)) = -'£Pa\ogPa, with 

H{X') = ilog27re(E2 + a\ and 
H{A,X') = - ^ dx'U{x')\ogh{x'), with 

/«(x')= r dxfx,x'{x,x'). 



Prom the above procedure, we get intervals that are 
bounded by the thresholds Tq. The next step is to con- 
struct m slices that return binary values for each of these 
intervals, Let us restrict ourselves to the case where t is 
a power of two, namely t = 2^. We investigated several 
assignment methods, and it turned out that the best bit as- 
signment method consists of mimicking Lemma 3, with the 
first slices containing noisy values that helps Bob narrow 
down his guess as quickly as possible. It is further illus- 
trated by the fact that h\l) -f h{0) < h(\) + h{\), whose 
interpretation is that it is more efficient to correct most 
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Comparison with other coding schemes, a denotes a mapping 

PROM R** TO A CODEBOOK OP BINARY STRINGS AND 7 A MAPPING 
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STRINGS, We indicate the PERFORMANCE CRTTBRION TO OPTIMIZE 
IN EACH CASE. 
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Optimized l(T{X)\X') as a function op logt for various 
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errors all at once, preferably in the beginning so that the 
subsequent slices can benefit from the gained knowledge. 

The chosen method consists thus of assigning the least 
significant bit of the binary representation of a - 1 (0 < 
a - 1 < 2"* - 1) to the first slice Si{x) when Ta-i <x < 
Ta . Then, each bit of a - 1 is subsequently assigned up to 
the most significant bit, which is assigned to the last slice 
Sm(x), More explicitly, 

c./«.^ —Jo if ^2<n < a: < r2.n.+2iri» /cx 
^•^"^^^ \ 1 otherwise. (^) 

B. Numerical Results 

We evaluated H{S{X)) and = T,i h{ei) for several 
(m,E/cr) pairs. Let us now give some numerical examples. 
Assume that the Gaussian channel has a signal-to-noise rar 
tic of 3. According to Shannon *s formula, a maximum of 
1 bit can thus be transmitted over such a channel. These 
cases are plotted in Fig. 3. First, consider the case m = 1, 
that is only one bit is extracted and corrected per Gaussian 
value. From our construction, equation (5) reduces to sim- 
ply dividing the real line into two parts: Si{x) = 1 when 
a; > 0 and Si{x) = 0 otherwise. Accordingly, Bob's most 
likelihood estimator (4) is essentially equivalent to Alice's 
slice, 5i(x') = Si{x'). In this case, the probability that Al- 
ice*s and Bob's values differ in sign is ei « 0.167 and hence 
- le = h{ei) pa 0.65 bits. The net amount. of information is 
thus approximately 1 - 0.65 = 0.35 bit per raw key value 
when the security parameter s is chosen to- be. zero. 

The last result is not very, efficient and i&.more useful for 
illustration purposes than for practical, ones. Let us now 
investigate the case of m = 4 sHces, still ;with a signal-to- 
noise ratio of 3. The division of the raw key space into 
intervals that maximizes I(T{X);X') is. given in the ta- 
ble below. Note that the generated intervals blend evenly 
distributed intervals and equal- width intervals (except the 
first and the last ones of course). Evenly distributed inter- 
vals maximize entropy, whereas equal- width intervals best 
deal with additive Gaussian noise. 
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Alice's slices follow equation (5), and Bob's slice estima- 
tors are defined as usual using equation (4). The correction 
of the first two slices (i.e., the least two significant bits of 
the interval number) have an error ratie that make them al- 
most uncorrelated, namely ei ^ 0.496 and 62 ^ 0.468. Cor- 
recting those slices reduces to Alice revealing them. These 
slices distinguish values that are pretty close from one an- 
other as compared to the standard deviation of the noise 
((t/S ^ 0.577, whereas e.g., rg - rg « 0.254). However, in- 
formation about the first two slices is now known to Bob, 
which helps him in estimating slices 3 and 4. As of slice 
3, Alice's value x is known to Bob to be in some interval 
'^4n+^ < < for which he knows ^ but not n. The 

distance between such two intervals is now larger than the 



standard deviation of the noise and slice 3 can thus be cor- 
rected with a reasonable error rate, 63 fa 0.25. The knowl- 
edge of slices 1 and 2 contributes in reducing the leaked 
information in slice 3. Correction of slice 4 takes even more 
advantage of the past information, and 64 ftf 0.02. Globally, 
AHce and Bob share H{S{X)) fa 3.78 bits after correction, 
out of which /e 2.95 bits were necessary for running the 
reconciliation protocol, leaving H{S{X))-Ie « 0.83 bit of 
net information per raw key element. 

We also investigated other signal-to-noise ratios. When 
Ti^/e^ = 15, Alice and Bob can share up to 2 bits per 
raw key element. Such cases are plotted in Fig. 4. We 
recommend to use from 2 to 4 slices more than the number 
of bits that can be transmitted by the Gaussian channel. 
In the case m = 5, we get a net amount of information of 
about 1.81 bits per raw key element. Evaluating the error 
rates gives again high error rates in the first two slices (ei « 
0.497, 62 « 0.466). The third one is still affected by noise 
(ea pa 0.242) and then the error rate drops dramatically 
(64 w 0.024 and 65 6 • 10"^), 

As one can notice, the first few error rates (e.g., ei and- 
62) are high and then the next ones fall dramatically. A 
first interpretation is related to the all-or-nothing binary 
reconciliation protocol used in Th. 1. The first slices are 
used as a way to narrow down the search among the most 
likely possibilities Bob can think of, and then the last slices 
compose the shared secret information. 

A second interpretation is that sUces with high error 
rates play the role of sketching a hypothetical codebook 
to which Alice's value belongs. After revealing the first 
few slices, Bob knows that her value lies in a certain num- 
ber of narrow intervals with wide spaces between them. If 
Alice had the possibility of choosing a codebook, she would 
pick up a value from a discrete list of values - a situation 
similar to the one just mentioned except for the interval 
width. Using more slices m > 4 would simply make these 
codebook-like intervals narrower. 

In figure 5, we show these error rates for m = 4 when the 
noise level varies. From the role of sketching a codebook, 
slices gradually gain the role of really extracting informa- 
tion as their error rates decrease with the noise level. 

VII. Conclusions 

Current reconciliation procedures are aimed at correct- 
ing strings of bits. A new construction for reconciliation 
was proposed, which can be implemented for correcting any 
kind of shared variables, either discrete or continuous. This 
construction is then applied to the special case of Gaussian- 
distributed key elements, in order to complement a new 
kind of quantum key distribution scheme [9]. This could 
also be applied to other quantum key distribution schemes 
[18], [19], [20], [21] that deal with continuous variables as 
well. We showed theoretical results on the optimality of 
our construction when applied to asymptotically large bloc 
sizes. Practical results about reconciliation of Gaussian key 
elements show that such a construction does not leak much 
more information than the theoretical bound. 
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^^"^^""^ methods for quantum key distribution 
(QKD) based upon the generation and transmission of ran- 
dom cUstributions of coherent or squeezed states, and we show 
that they are are secure agamst individual eavesdropping at- 
tacks. These protocols require that the transmission of the 
optical line between Alice and Bob is larger than 50 %, but 
they do not rely on * Wclassical" features such as squeezing 
Their security is a direct consequence of the no^cloning theo- 
rem, that Umits the signal to noise ratio of possible quantum 
measurements on the transmission hne. Our approach can 
also be used for evaluating various QKD protocols usmg Hght 
with gaussian statistics. 

PACS numbers: 03.67,Dd, 42.50,Dv, 89.70.+C 

Since the experimental demonstration of quantum tele- 
portation of coherent states [1], a lot of interest has arisen 
in continuous variable quantum information processing. 
In particular, a stimulating question is whether quan- 
tum continuous variables (QCV) may provide a valid 
alternative to the usual "single photon" quantum key 
distribution schemes [2]. Most present proposals to use 
QCV for QKD [3-15]. are based upon the use of "non* 
classical" light beams, such as squeezed light, or pairs of 
hght beams that are correlated for two different quadra- 
tures components (the so-called "EPR" beams, by anal- 
ogy with the historical paper by Einstein, Podolski and 
Rosen [16]). But recent work on this subject [17] under- 
lined the crucial importance of the continuous variable 
yersion of the no-cloning theorem [18], as soon as secu- 
rity is concerned in any exchange using QCV. 

In this letter, we show that there is actually no need 
for squeezed light : an equivalent level of security may be 
obtained by simply generating and transmitting random 
distributions of coherent states. The security of this novel 
protocols IS related to the no-cloning theorem, that lim- 
its possible eavesdropping even though the transmitted 
light has no "non-classical" feature such as squeezing. We 
show that our analysis can be also applied to other pro- 
tocols usmg light with gaussian statistics, i.e. squeezed 
or EPR beams, making thus the comparison easier. The 
basic tools for this analysis are the ones that have been 
extensively used for linearized quantum optics, includ- 
ing in particular optical quantum non-demolition (QND) 
measurements [19]. Before presenting our protocol, we 
will briefly review the current Uterature on continuous 
variables QKD. 

pre we consider ..security against individual attacks 
only, and we do not address the issue of uncondition- 
nal security, that was demonstrated by Gottesman and 



PreskiU [3] for squeezed states protocols (unconditional 
security of coherent states protocols remains an open 
question). Security against individual attacks was pre- 
viously considered by many authors. HiUery proposed a 
QKD scheme based on binary modulated squeezed light 
14J. Cerf et al showed it could be improved considering 
gaussian modulation [5,6] and described a reconciUation 
protocol [6,7] to implement this improved protocol In 
the present work we wiU generaHze this approach to the 
various single beam protocols of the litterature [4-121 
The protocol described in [5,6] is then a particular mem- 
ber of the family of protocols described here. EPR beams 
were also considered for QKD schemes. Some schemes 
need the propagation of one beam only from Alice to Bob 
[9-14 , the other half of the EPR pair bemg measured 
by Alice, whereas others need the propagation of two 
modes (or more) of the electromagnetical field [8 13-15] 
In the first family, Reid [10] and Ralph [9] consider "bi- 
nary modulated EPR beams, created by a parametric 
amplifier with a modulated seed [10] or interfering modu- 
lated squeezed beams [9], whereas Silberhorn et a/ [11 13] 
and Navez et al [12] extra<:t their key from correlated 
measurement sequences. As we will show below, these 
schemes can be viewed as the transmission of a modu- 
lated sub-shotnoise beam. Bencheikh et al [14] extract 
the binary key directly from the gaussian correlations. 
This extraction can be optimized using the reconciliation 
protocol described in [6,7]. The protocols transmitting 
several quantum-correlated modes of the electromagnetic 
field, using two beams [8,13-15] are beyond the scope of 
this letter, because their security analysis should take 
mto account simultaneous attack on both modes. How- 
ever, similar gaussian extension of these protocols seem 
possible. Finally, Ralph examined a binary modulated 
coherent beam protocol [8,9], and showed its need for pri- 
vacy amplification [20], Here we will introduce a family 
of gaussian protocols, and we will show that the coherent 
state version is secure and as efficient as the correspond- 
ing squeezed light or EPR protocols. 

General principle of the protocols. The QKD protocols 
we study here are single gaussian beam protocols. Alice 
modulate randomly a gaussiain beam and send it to Bob 
through a gaussian noisy channel. Both phase and am- 
plitude are modulated with gaussian random numbers, 
since It allows an optimal information rate [21]. Bob 
then measures either the phase or the amplitude of this 
beam and mforms Alice which measurement he made 
Bob and Alice- have then two correlated sets of gaussian 
variables, from which they can extract a common secret 
string of bits as explained below. 



1 



50 



The basic tool that we will use is the Shannon formula 
giving the optimum information rate / of a noisy trans- 
mission chaimel, in units of bits/symbol [21]. If the noise 
IS white and gaussian and the signal to noise ratio (SNR) 
IS 2., this optimum information rate is 

/AB = l/21og2(l + E). (1) 

Since this optimum can be closely approached only if the 
signal has a gaussian statistics [21], we will consider only 
gaussian modulation protocols, and use (1) to calculate 
the amount of private information that AUce and Bob 
may exchange m presence of the eavesdropper Eve 
f« J f*. '««'°<='liation protocol described in detail in 
lt),7J and briefly sketched in the Appendix allows us to 
get arbitrarly close to the value given by (1). For secu- 
rity purposes, one must assume that Eve has an arbitrary 
powerful computer, and thus she is able to reach this 
Unut. In case Alice and Bob are not, they will have to al- 
ow for an extra security margin (see Discussion below) 
We note that it is not required to specify a "digitizing 
step to connect the continuous variable and a bit value- 
the bits will appear at the end of the reconcihation pro-' 
fui ^ ' } .A* «tage, Alice and Bob share a string 
. ''}"'^ P"*^'' Tbey can then use 
standard privacy amplification protocol [23] to agree on 
a secret key. The rate at which this secret key can be 
constructed is 



Equation (2) shows that these protocols are secure as 
long as Bob has a more in formation on Alice's key el- 
ement than Eve, i e as long as I^s > Ue- Since the 
Shannon formula (1) is valid for both Bob and Eve the 
secunty condition is just a condition on the signal to 
noise ratios, which turns to be a condition on the added 
noises, smce the signal and the noise added at Ahce's side 
(quantum noise, Alice's technical noises) are the same. 

(3) 



A/>0 ^ Eb>E£. ;t<l 



^I=Iab-Iae, 



(2) 



^^fl {'^fx,^ ^ information rate between AUce 
and Bob (Eve). 

Eavesdropping. The Iab term of (2) is easy to com- 
pute for a given scheme, the signal to noise ratio Ep 
bemg known. We have to assume Ue being the maxi- 
mum possible given the laws of physics (considering only 
individual attacks, coherent attacks are beyond the scope 
of this letter). If the protocols are globaUy invariant un- 
der the exchange of the two quadratures X and P, the 
b^t tactic for Eve is to keep this property in her attacks. 
Iherefore, we can restrict us to attacks that treat equally 
both quadrature without loss of generality. 

Given these hypothesis, we will use a general result, 
that is demonstrated in [17] : if the added noise on Bob's 
side IS x/Vo, where No is the vacuum noise variance, then 
the mmimum added noise on Eve's side is No This 
applies to both quadratures, and the added noise may 
M-Ti o-*° eavesdropping, or any other reason 

[17J. Smce the demonstration of ref. [17] is just another 
torm of the no-clomng theorem, it also adresses any indi- 
vidual attack by Eve using a cloning machine [18]. When 
the Ime has a transmission 7 with no Eve present, one 
has X = (1 - rj)/r^. The best attack for Eve is then to take 
a fraction 1 - t? of the beam at Alice's site, and to send 
the fraction 7? to Bob through her own lossless line (that 
may be a perfect teleporter). Eve is then totally unde- 
tected and she gets the maximum possible information 
according to the no-cloning theorem. 



Smce X _ (1 _ ri)lt^ for a line with transmission n, the 
condition X < 1 requires that r, > 1/2. Therefore, a 
usable key can be obtained in principle as soon as the 
transmission losses axe less 3dB. Taking into account the 
standard loss of 0.2dB/km m optical fibers at 1550 mn 
the typical range would be around 10 km. 

In this security evaluation, the noise added in Alice's 
aide cancels out because it disturbs equally Eve and Bob 
This cancelled' noise includes the quantum noise of the 
beam. As a consequence, the security of these protocols 
relies of the quantum aspects of measuring or copying 
but not on any quantum feature of the beam, like squeez- 
mg or entanglement. We can do quantum cryptography 
with coherent beams, as mentionned by Ralph [8 9] or 
even with highly noisy beams. Quantum features df the 
beams might influence some characteristics of the pro- 
tocol like the secret key rate or the amount of classical 
communication needed to agree on the secret key, but 
not its security. 

Coherent Beam protocol. Let us now explicitly describe 
the coherent beam protocols of this family: 

1. Alice draws two random numbers xa and pa from 
a gaussian law with variance VaNo 

2. She sends to Bob the coherent state \xa + ipA) 

3. Bob randomly chooses to measure either X or P. 
This measurement can be done perfectly. 

4. Using a classical public channel he informs Alice 
about the observable that he measured (like in the BB84 
protocol, half of the key generated by Alice is unused) 

5. Alice and Bob share two correlated gaussian vari- 
ables. Then they may use the "sUced reconciliation" pro- 
tocol [7,6] to transform it into errorless bit strings. Fi- 
nally, they have to use a standard protocol for privacy 
amplification [23] in order to distill the private key 

According to eq. (1), the channel rate AI for the pri- 
vate key will be: 

A/=jl0g2(l + Efl)-il0g2(l + EB) (4) 

The total variance of any quadrature of the beam when 
It leaves Alice's realm is VNo = VaNo + N,. Using the 
expressions 1 + Ea = and 1 + E^ = the 
useful secret information rate is : . 

^^=ilofei^ (5) 

If X < 1, A/ will increase as a function of the signal 
modulation Va- For large modulation (yV » 1) the 
asymptotic value of A/ is : 
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A/a.vmp = -i logj X = § l0g2 1^ (6) 

while the raw channel rate between Alice and Bob is 

Squeezed state protocol. This protocol can straightfor- 
wardly be generalized to modulated squeezed beam, with 
a squeezing factor $ <l. The protocol becomes : 

1. Alice chooses randomly if the beam is squeezed in 
X or P (for instance we will later assume the beam being 
X-squeezed). Let denote |^) this squeezed state. 

2. Alice draws two random numbers xa and pA from 
two gaussian laws with variances 14a and Vp^No. The 
two squeezed direction are indistinguishable for Eve ilf 

V^^Nq + sNo = Vp^No + ^No = VNq (7) 

3. Alice sends to Bob the displaced squeezed state 

D{XA + ipa) |^> 

4. Bob randomly chooses to measure either X oi P, 

5. Using a public channel, Alice and Bob inform each 
other about the squeezing direction and the measured 
observable. 

6. Like with coherent states Alice and Bob share cor- 
related gaussian variables, from which they can extract 
a private binary key. 

This protocol obviously reduces to the protocol de- 
scribed above if s = 1. Another limit, where Vp^ = 0 
or V = 1/5, is the protocol described by Cerf et al in 
[5,6]. In this case, information is gathered for the key 
only when Bob makes the right guess. 

To compute the private rate A/, we will average be- 
tween the right guesses and the wrong guesses : 

A/ = ^[{Iabx - Iaex) + {Iabp - Iaep)] (8) 

We have Ebx = ^ = ^ and 1 + Ebx = 

The three other signal to noise ratios are obtained by 

replacing x or/and s by x"^ or 5""^ Therefore, 

Tab = \ log2 - i log2(x + ^ + s -f i) (10) 

^AE = \ log, ^ i lo6,(x + ^ + ^ + ^) (11) 

Since the s-dependent term of these information rates 
are the same, they cancel each other in AL The secret 
information rate is thus again given by eq. (5) , and does 
not depend on the degree of squeezing. 

Extension to EPR case. The previous description does 
not apply directly on EPR protocols. However, an EPR 
QKD protocol where Alice keeps one of the beams and 
sends the other to Bob is logically equivalent to a ran- 
domly modulated beam with a sub-shot noise quantum 
variance. Let note Xa the quadrature Alice measures 
and Xout the same quadrature of the beam sent to Bob 
when it leaves Alice's lab. For a standard non- modulated 
EPR scheme [11] we have the following relations : 



(^i) = (^olt)=^=(^ + lA)/2 (12) 
{{XA-X,^t?)^2s (13) 
{XAXout) =V - s (14) 

We can separate Bob's beams in two parts, that are re- 
spectively correlated and uncorrected with Alice's mea- 
surement, by writing Xo^xt = qXa^-N where {XaN) = 0. 
Bob's beam is then equivalent to a beam with quantum 
noise {N^) on quadrature X, which is randomly modu- 
lated with the variable qXa- Using eqs (12,14) one gets: 

g ^i^s/V^{l^s'')l{\+s'') (15) 
{N^) = s{2 - s/V) = 2^^/(1 + s^l (16) 

These equations describe the case where Alice and Bob 
measure the same quadrature. When Alice changes her 
quadrature, while Bob keeps the same measurement, the 
initial wave packet is reduced onto a noisy quadrature, 
and no useful correlation is generated. On the average, 
the information rate is therefore half of the "equivalent" 
modulation scheme. Using (12), we have then: 

l + Ea = l + ^=i^ (17) 
A/= ilog,(^^) = ilog,(^) (18) 

This value of AI is again just the same as the coherent 
state result (5) for given x and so that 5 is defined 
by (12). Adding excess noise or a modulation on the 
outgoing beam brings no further improvement. 

Discussion. Various comments are in order. First, it 
appears that non classical features like squeezing or EPR 
correlations have no influence on the achievable secret key 
rate for the family of protocols that were described here. 
This result may not apply to all possible protocols, e.g. , 
we did not consider using a continuous quantum memory. 
On the other hand, since the raw information rate are dif- 
ferent for the same secret key rate, squeezed beams can 
be used to save classical communications during the pri- 
vacy amplification procedure. The EPR beams have also 
the advantage of directly providing quantum-generated 
gaussian noise, rather than having it externally generated 
by Alice. More importantly, entanglement, that is not di- 
rectly used in the present protocols, can be useful to beat 
the 3 dB limit by using more than one beam. Though the 
3 dB loss limit of our cryptography protocols makes their 
security demonstration quite intuitive, there exist multi- 
ples ways for Alice and Bob to go beyond this limit. The 
most radical way is to send many EPR beams through 
the noisy channel, then to use entanglement purification 
[22] to build stored entanglement between Alice and Bob, 
and finally to implement a high fidelity teleporter. For 
any finite value of the losses and EPR entanglement, an 
arbitrarily high fidelity can be achieved [22]. The no- 
cloning theorem ensures the security of these schemes 
as soon as the fideUty of the teleporter is above 2/3 [17], 
which is equivalent to the 3 dB loss limit discussed above. 
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In some sense, a "lossless" line is re-created by using en- 
tanglement purification. There may exist more realistic 
ways to cross the 3 dB barrier. For instance, Alice and 
Bob may "invert" the reconciliation procedure, with Al- 
ice guessing Bob's measurement instead of Bob guessing 
Alice's value [23]. This inverted procedure may be more 
efficient, but its complete security analysis is beyond the 
scope of this letter. 

On the practical side, one should note that Bob's detec- 
tors are not ideal, but have a non-zero electronic noise 5o, 
that should be much smaller than A^o, and a maximum 
(saturation) input power (tBq > Nq, where (T > 1 is the 
detector's dynamics. Taking mto account these charac- 
teristics in the simplest coherent state protocol gives an 
optimum value of the signal variance, Va ^ s/^- An- 
other point is that Alice and Bob may not be able to 
achieve the Shannon limit (1), due to limited comput- 
ing power (no such Hmitation is relevant for Eve). As- 
suming that the effective information rate between Alice 
and Bob is reduced by a factor a < 1, the net secret 
rate becomes A/g// = olIab - lAE^ and remains posi- 
tive if a > IabIIaB' The quantity A/g// is plotted on 
Fig.l for a = 1 (full lines), and for various values of a 
that are arbitrarily associated with various values of the 
SNR (dashed lines). It is clear from that figure that low 
values of a reduce the transmission range in which the 
protocol is secure. We note that according to [6,7], the 
sliced reconciliation protocol should yield a ^ 1 (see also 
Appendix) , but this may be costly in terms of calcula- 
tion time and public channel transmissions. All these 
constraints should eventually be taken into account to 
choose the most appropriate value oIVa- 

As a conclusion, it is possible to design a QKD scheme 
with coherent states, secure against any individual at- 
tack, by using optimized reconciliation protocols and 
privacy amplification. Since the protocol does not re- 
quire squeezing, it can be implemented by sending light 
pulses in a low-loss optical fiber, like in a coherent optical 
telecommunication scheme. In that case, all pulses will 
be useful, but half of the random numbers generated by 
Alice will not be used. We demonstrated that the pro- 
tocol is asymptotically secure [7] for losses smaller than 
3dB (or a teleportation fidelity larger than 2/3 [17]), and 
the net information rate for the private key with a large 
signal modulation is l/21og2(l/x) = l/21og2(f7/(l - ??)). 

Appendix : Sliced reconciliation protocol 

In the n-slice version of the reconciliation protocol pro- 
posed in ref. [7], the real axis representing the amplitude 
of the signal is split in 2" intervals s\ =;] -oo, -^i], 52 = 
] -^2], ... 52» =]<2«-i, +oo[, where = -<2«~p, 
and i2^-\ .= Q. Alice assigns an amount of n bits to 
an amplitude that lies in the interval 5p, by using the 
parity of p for bit 1, of Floor{p/.2) for bit 2, ... , and 
■.of Floor{pl2'^'^) for bit n. After receiving the data, 



Bob makes an optimized guess of the first bit value us- 
ing appropriate weighting functions, that are computed 
by optimizing the choice of the {tp} (this optimization 
is made only once, before exchanging the data). After a 
first correction round by exchanging public data between 
Alice and Bob, Bob knows the correct value of the first 
bit. Then he tries to guess the second bit, with a much 
higher probability of success, because he already knows 
the first one. By increasing both the SNR E and the 
number of slices, the process gets more and more effi- 
cient, keeping the same main idea : after each correction 
round, Bob can guess the next bit with a higher proba- 
bility. For the 5-slice protocol with E = 15 presented in 
[7], the probabilities of guessing right for slices 4 and 5 
are respectively 0.976 and 0.999994, and the efficiency is 
more than 90% of the Shannon limit |log2(16) = 2. 
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FIG. 1. Private channel information rate A/ as a function 
of the channel noise x- The three curves in fuU lines corre- 
spond to Va = 1, 5, 50 from the bottom to the top, assum- 
ing that the reconciliation protocol between Alice and Bob 
reaches the Shannon limit. The three curves in dashed lines 
correspond to the effective A/ with the sames values of Va, 
with (arbitrarily chosen) reconciliation efficiencies a that are 
respectively 0.6, 0.8 and 0.95 of the Shannon limit. 
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Electrodynamics was discovered and fonnalized in the 
19th century. The 20th century was then profoundly af- 
fected by its applications. A similar adventure may be 
underway for quantum mechanics, discovered and for- 
malized during the last century. Indeed, although the la- 
ser and semiconductor are already common, applica- 
tions of the most radical predictions of quantum 
mechanics have only recently been conceived, and their 
full potential remains to be explored by the physicists 
and engineers of the 21st century. 

The most peculiar characteristics of quantum mechan- 
ics are the existence of indivisible quanta and of en- 
tangled systems. Both of these lie at the root of quantum 
cryptography (QC), which could very well be the first 
commercial application of quantum physics at the single- 
quantum level In addition to quantum mechanics, the 
20tfa century has been marked by two other major scien- 
tific revolutions: information theory and relativity The 
status of the latter is well recognized. It is less well 
known that the concept of information, nowadays mea- 
sured in bits, and the formalization of probabihties are 
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quite recent, although they have a tremendous impact 
on our daily life. It is fascinating to realize that QC lies 
at the intersection of quantum mechanics and informa- 
tion theory and that, moreover, the tension between 
quantum mechanics and relativity — the famous 
Einstein-Rosen-Podolsky (EPR) paradox (Einstein 
et al, 1935) — ^is closely connected to the security of QC. 
Let us add a further point for young physicists. Unlike 
laser and semiconductor physics, which are manifesta- 
tions of quantum physics at the ensemble level and can 
thus be described by semiclassical models, QC, and to an 
even greater extent quantum computers, require a full 
quantum-mechanical description (this may offer an in- 
teresting challenge for physicists well trained in the 
subtleties of their science). 

This review article has several objectives. First, we 
present the basic intuition behind QC. Indeed, the basic 
idea is so beautiful and simple that every physicist and 
student should be given the pleasure of learning it. The 
general principle is then set in the broader context of 
modem cryptology (Sec. II,B) and made more precise 
(Sec. n.C). Section III discusses the main technological 
challenges. Then, Sees. IV and V present the most com- 
mon implementations of QC: the use of weak laser 
pulses and photon pairs, respectively. Finally, the impor- 
tant and difficult problems of eavesdropping and secu- 
rity proofs are discussed in Sec. VI, where the emphasis 
is more on the diversity of the issues than on formal 
details. We have tried to write the different parts of this 
review in such a way that they can be read indepen- 
dently. 

It. A BEAUTIFUL IDEA 

The idea of quantum cryptography was first proposed 
in the 1970s by Stephen Wiesner^ (1983) and by Charles 
H. Bennett of IBM and Gilles Brassard of The Univer- 
sity of Montreal (1984, 1985).^ However, this idea is so 
simple that any first-year student since the infancy of 
quantum mechanics could actually have discovered it! 
Nevertheless, it is only now that the field is mature 
enough and information security important enough that 
physicists are ready to consider quantum mechanics, not 
only as a strange theory good for paradoxes, but also as 



^The Russian mathematician A. N. Kolmogorov (1956) is 
aedited with being the first to have formulated a consistent 
mathematical theory of probabiUties in the 1940s. 

^S. Wiesner, then at Columbia University, was the first to pro- 
pose ideas closely related to QC in the 1970s. However, his 
revolutionary paper did not appear until a decade later. Since 
it is difficult to find, we reproduce his abstract here: The un- 
certainty principle imposes restrictions on the capacity of certain 
types of communication channels. This paper will show that in 
compensation for this "quantum noise, " quantum mechanics al- 
lows us novel forms of coding without analogue in communica- 
tion channels adequately described by classical physics, 

^Artur Ekert (1991) of Oxford University discovered QC in- 
dependently, though from a different perspective (see Sec. 
II.D.3). 



a tool for new engineering. Apparently, information 
theory, classical cryptography, quantum physics, and 
quantum optics first had to develop into mature sci- 
ences. It is certainly not a coincidence that QC and, 
more generally, quantum information were developed 
by a conmiunity including many computer scientists and 
more mathematically oriented young physicists: broader 
interests than traditional physics were needed. 



A. The intuition 

Quantum physics is well known for being counterin- 
tuitive or even bizarre. We teach students that quantum 
physics establishes a set of negative rules stating things 
that cannot be done. For example, 

(1) One cannot take a measurement without perturbing 
the system. 

(2) One cannot determine simultaneously the position 
and the momentum of a particle with arbitrarily 
high accuracy. 

(3) One cannot simultaneously measure the polariza- 
tion of a photon in the vertical-horizontal basis and 
simultaneously in the diagonal basis. 

(4) One cannot draw pictures of individual quantum 
processes. 

(5) One caimot dupUcate an unknown quantum state. 

This negative viewpoint of quantum physics, due to its 
contrast with classical physics, has only recently been 
turned positive, and QC is one of the best illustrations of 
this psychological revolution. Indeed, one could charac- 
terize quantum information processing as the science of 
turning quantum conundrums into potentially useful ap- 
pUcations. 

Let us illustrate this point for QC. One of the basic 
negative statements of quantum physics reads 

One cannot take a measurement without perturbing 

the system (1) 

(unless the quantum state is compatible with the mea- 
surement). The positive side of this axiom can be seen 
when applied to a communication between Alice and 
Bob (the conventional names of the sender and receiver, 
respectively), provided the communication is quantum, 
that is, quantum systems, for example, individual pho- 
tons, carry the information. When this is the case, axiom 
(1) also apphes to eavesdroppers, i.e., to a maUdous Eve 
(the conventional name given to the adversary in cryp- 
tology). Hence Eve cannot get any information about 
the communication without introducing perturbations 
that would reveal her presence. 

To make this intuition more precise, imagine that Al- 
ice codes information in individual photons, which she 
sends to Bob. If Bob receives the photons unperturbed, 
then, according to the basic axiom (1), the photons were 
not measured. No measurement implies that Eve did not 
get any information about the photons (note that acquir- 
ing information is synonymous with carrying out mea- 
surements). Consequently, after exchanging the photons. 
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FIG. 1. Implementation of the Bennett and Brassard (BB84) 
protocol. The four states lie on the equator of the Pdincare 
sphere. 

Alice and Bob can check whether someone "was listen- 
ing": they simply compare a randomly chosen subset of 
their data using a public channel. If Bob received this 
subset unperturbed, then the logic goes as follows: 

0 No perturbation=^No measurement 

=*No eavesdropping. (2) 

Actually, there are two more points to add. First, in 
order to ensure that axiom (1) applies, Alice encodes 
her information in nonorthogonal states (we shall illus- 
trate this in Sees. II.C and n.D). Second, as we have 
presented it so far, Alice and Bob could discover any 
eavesdropper, but only after they have exchanged their 
message. It would of course be much better to ensure 
their privacy in advance and not afterwards. To achieve 
this, Alice and Bob complement the above idea with a 
(X" second idea, again a very simple one, and one which is 
entirely classical. Alice and Bob do not use the quantum 
channel to transmit information, but only to transmit a 
random sequence of bits, i,e., a key. Now, if the key is 
unperturbed, then quantum physics guarantees that no 
one has gotten any information about this key by eaves- 
dropping, i.e., measuring, the quantum communication 
channel In this case, Alice and Bob can safely use this 
key to encode messages. If, on the other hand, the key 
turns out to be perturbed, then Alice and Bob simply 
disregard it; since the key does not contain any informa- 
tion, they have not lost any. 

Let us make this general idea somewhat more precise, 
in anticipation of Sec. U.C. In practice, the individual 
quanta used by Alice and Bob, often called qubits (for 
quantum bits), are encoded in individual photons; for 
example, vertical and horizontal polarization code for 
bit values 0 and 1, respectively. The second basis can 
then be the diagonal one (±45** linear polarization), 
with +45° coding for bit 1 and -45° for bit 0, respec- 
tively (see Fig. 1). Alternatively, the circular polarization 
basis could be used as second basis. For photons the 
quantum communication channel can be either free 
space (see Sec. IV.E) or optical fibers — special fibers or 
the ones used in standard telecommunications (Sec. 
III.B). The communication channel is thus not really 
quantum. What is quantxun are the information carriers. 
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Before continuing, we need to see how QC could fit 
into existing cryptosystems. For this purpose the next 
section briefly surveys some of the main aspects of mod- 
em cryptology. 

B. Classical cryptography 

Cryptography is the art of rendering a message unin- 
telligible to any unauthorized party. It is part of the 
broader field of cryptology, which also includes cryp- 
toanaiysis, the art of code breaking (for a historical per- 
spective, see Singh, 1999). To achieve this goal, an algo- 
rithm (also called a cryptosystem or dpher) is used to 
combine a message with some additional information — 
known as the key — ^and produce a cryptogram. This 
technique is known as encryption. For a cryptosystem to 
be secure, it should be impossible to unlock the crypto- 
gram without the key. In practice, this requirement is 
often weakened so that the system is just extremely dif- 
ficult to crack. The idea is that the message should re- 
main protected at least as long as the information it con- 
tains is valuable. Although confidentiality is the 
traditional application of cryptography, it is used nowa- 
days to achieve broader objectives, such as authen- 
tication, digital signatures, and nonrepudiation (Bras- 
sard, 1988). 

1 . Asymmetrical (public-key) cryptosystems 

Cryptosytems come in two main classes — depending 
on whether Ahce and Bob use the same key. Asym- 
metrical systems involve the use of different keys for 
encryption and decryption. They are commonly known 
as public-key cryptosystems. Their principle was first 
proposed in 1976 by Whitfield Diffie and Martin Hell- 
man, who were then at Stanford University. The first 
actual implementation was then developed by Ronald 
Rivest, Adi Shamir, and Leonard Adleman of the Mas- 
sachusetts Institute of Technology in 191S^ It is known 
as RSA and is still widely used. If Bob wants to be able 
to receive messages encrypted with a pubHc-key crypto- 
system, he must first choose a private key, which he 
keeps secret. Then he computes from this private key a 
public key, which he discloses to any interested party. 
Alice uses this public key to encrypt her message. She 
transmits the encrypted message to Bob, who decrypts it 
with the private key. Public-key cryptosystems are con- 
venient and have thus become very popular over the last 
20 years. The security of the Internet, for example, is 
partially based on such systems. They can be thought of 
as a mailbox in which anybody can insert a letter. Only 
the legitimate owner can then recover it, by opening it 
with his private key. 



"^According to the British Government, public-key cryptogra- 
phy was originally invented at the Government Communica- 
tions Headquarters in Cheltenham as early as 1973. For an 
historical account, see, for example, the book by Simon Singh 
(1999). 
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The security of public-key cryptosystems is based on 
computational complexity. The idea is to use mathemati- 
cal objects called one-way functions. By definition, it is 
easy to compute the function f(x) given the vaiiable x, 
but difficult to reverse the calculation and deduce x 
£rom/(x). In the context of computational complexity, 
the word "difficult" means that the time required to per- 
form a task grows exponentially with the number of bits 
in the input, while "easy" means that it grows polynomi- 
ally. Intuitively, it is easy to understand that it takes only 
a few seconds to work out 67X71, but it takes much 
longer to find the prime factors of 4757. However, fac- 
toring has a ''trapdoor,'* which means that it is easy to do 
the calculation in the difficult direction provided that 
you have some additional information. For example, if 
you were told that 67 was one of the prime factors of 
4757, the calculation would be relatively simple. The se- 
curity of RSA is actually based on the factorization of 
large integers. 

In spite of its elegance, this technique suffers from a 
major flaw. It has hot been possible yet to prove whether 
factoring is "difficult" or not This implies that the exis- 
tence of a fast algorithm for factorization cannot be 
ruled out. In addition, the discovery in 1994 by Peter 
Shor of a polynomial algorithm allowing fast factoriza- 
tion of integers with a quantum computer casts addi- 
tional doubt on the nonexistence of a polynomial algo- 
rithm for classical computers. 

Similarly, all public-key cryptosystems rely for their 
security on unproven assumptions, which could them- 
selves be weakened or suppressed by theoretical or 
practical advances. So far, no one has proved the exis- 
tence of any one-way function with a trapdoor. In other 
words, the existence of secure asymmetric cryptosystems 
is not proven. This poses a serious threat to these cryp- 
tosystems. 

In a society like ours, where information and secure 
communication are of the utmost importance, one can- 
not tolerate such a threat. For instance, an overnight 
breakthrough in mathematics could make electronic 
money instantly worthless. To limit such econoniiic and 
social risks, there is no alternative but to turn to sym- 
metrical cryptosystems. QC has a role to play in such 
alternative systems. 

2. Symmetrical (secret-key) cryptosystems 

Symmetrical ciphers require the use of a single key for 
both encryption and decryption. These systems can be 
thought of as a safe in which the message is locked by 
Alice with a key. Bob in turns uses a copy of this key to 
unlock the safe. The one-time pad, first proposed by Gil- 
bert Vernam of AT&T in 1926, belongs to this category. 
In this scheme, Alice encrypts her message, a string of 
bits denoted by the binary number m|, using a ran- 
domly generated key A:. She simply adds each bit of the 
message to the corresponding bit of the key to obtain 
the scrambled text (s-mi®k, where e denotes the bi- 
nary addition modulo 2 without carry). It is then sent to 
Bob, who decrypts the message by subtracting the key 
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(sGk=miBkQk—mi). Because the bits of the 
scrambled text are as random as those of the key, they 
do not contain any information. This cryptosystem is 
thus provably secure according to information theory 
(Shannon, 1949). In fact, it is the only provably secure 
cryptosystem known today. 

Although perfectly secure, this system has a 
problem — ^it is essential for AUce and Bob to possess a 
common secret key, which must be at least as long as the 
message itself. They can only use the key for a single 
encryption — Whence the name **one-time pad." If they 
used the key more than once. Eve could record all of the 
scrambled messages and start to build up a picture of the 
plain texts and thus also of the key. (If Eve recorded two 
different messages encrypted wit|i the same key, she 
could add the scrambled texts to obtain the sum of the 
plain texts: SiBs2=miBk®m2®k^mi®m2Bk®k 
=mi®m2, where we use the fact that e is commuta- 
tive.) Furthermore, the key has to be transmitted by 
some trusted means, such as a courier, or through a per- 
sonal meeting between Alice and Bob. This procedure 
can be complex and expensive, and may even amount to 
a loophole in the system. 

Because of the problem of distributing long sequences 
of key bits, the one-time pad is currently used only for 
the most critical applications. The symmetrical crypto- 
systems in use for routine applications such as 
e-conunerce employ rather short keys. In the case of the 
Data Encryption Standard (also known as DES, pro- 
moted by die United States' National Institute of Stan- 
dards and Technology), a 56-bit key is combined with 
the plain text divided into blocks in a rather complicated 
way, involving permutations and nonlinear functions to 
produce the cipher text blocks (see StaUings, 1999 for a 
didactic presentation). Other cryptosystems (e.g., 
IDEA, The International Data Encryption System, or 
AES, the Advanced Encryption Standard) follow similar 
principles. Like asymmetrical cryptosystems, they offer 
only computational security. However, for a given key 
length, symmetrical systems are more secure than their 
asymmetrical counterparts. 

In practical implementations, asymmetrical algorithms 
are used not so much for encryption, because of their 
slowness, but rather for distribution of session keys for 
symmetrical cryptosystems such as DES. Because the se- 
curity of those algorithms is not proven (see Sec. II.B.1), 
the security of the whole implementation can be com- 
promised. If these algorithms were broken by math- 
ematical advances, QC would constitute the only way to 
solve the key distribution problem. 

3. The one-time pad as "classical teleportatlon" 

The one-time pad has an interesting characteristic. 
Assume that Alice wants to transfer to Bob a faithful 
copy of a classical system, without giving any informa- 
tion to Eve about this system. For this purpose Alice 
and Bob have access only to an insecure classical chan- 
nel. The operation is possible provided they share an 
arbitrarily long secret key. Indeed, in principle, Alice 
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can measure the state of her classical system with arbi- 
trarily high precision and then use the one-time pad to 
securely communicate this information to Bob, who can 
then, in principle, reconstruct (a copy of) the classical 
system. This somewhat artificial use of the one-time pad 
has an interesting quantum relative (see Sec. n.£). 

C. The BB84 protocol 
1. Principle 

The first protocol for QC was proposed in 1984 by 
Charles H. Bennett, of IBM and Gilles Brassard, of the 
University of Montreal, hence the name BB84, as this 
protocol is now known. They presented their work at an 
IEEE conference in India, quite unnoticed by the phys- 
ics community at the term. This underscores the need 
for collaboration in QC between different communities, 
with different jargons, habits, and conventions.^ The in- 
terdiscipJinary character of QC is the probable reason 
for its relatively slow start, but it certainly has contrib- 
uted to the rapid expansion of the field in recent years. 

We shall explain the BB84 protocol using the lan- 
guage of spin I, but clearly any two-level quantmn sys> 
tern would do. The protocol uses four quantum states 
that constitute two bases, for example, the states up |t), 
down ID, left |<— ), and right |— The bases are maxi- 
mally conjugate in the sense that any pair of vectors, one 
from each basis, has the same overlap, e.g., KTI^*— )P 
= J. Conventionally, one attributes the binary value 0 to 
states It) and |-+} and the value 1 to the other two 
states, and calls the states qubits (for quantum bits). In 
the first step, Alice sends individual spins to Bob in 
states chosen at random among the four states (in Fig. 1 
the spin states |t), |— and are identified as 
the polarization states "horizontal," "vertical," "+45°," 
and "—45"^," respectively). How she "chooses at ran- 
dom" is a delicate problem in practice (see Sec. III.D), 
but in principle she could use her free will. The indi- 
vidual spins could be sent all at once or one after the 
other (much more practical), the only restriction being 
that Alice and Bob be able to establish a one-to-one 
correspondence between the transmitted and the re- 
ceived spins. Next, Bob measures the incoming spins in 
one of the two bases, chosen at random (using a 
random-number generator independent from that of Al- 
ice). At this point, whenever they use the same basis, 
they get perfectly correlated results. However, whenever 
they use different bases, they get uncorrelated results. 
Hence, on average, Bob obtains a string of bits with a 
25% error rate; called the raw key. This error rate is so 
high that standard error correction schemes would fail. 
But in this protocol, as we shall see, Alice and Bob know 



^For instance, it is amusing to note that physicists strive to 
publish in reputable journals, while conference proceedings 
are of secondary importance. For computer scientists, in con- 
trast, appearance in the proceedings of the best conferences is 
consideired more important, while journal publication is sec- 
ondary. 
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which bits are perfectly correlated (the ones for which 
Alice and Bob used the same basis) and which ones are 
completely uncorrelated (all the other ones). Hence a 
straightforward error correction scheme is possible: For 
each bit Bob announces pubhcly in which basis he mea- 
sured the corresponding qubit (but he does not tell the 
result he obtained). Alice then reveals only whether or 
not the state in which she encoded that qubit is compat- 
ible with the basis announced by Bob. If the state is 
compatible, they keep the bit; if not, they disregard it. In 
this way about 50% of the bit string is discarded. This 
shorter key obtained after basis reconcitiation is called 
the sifted key,^ The fact that Alice and Bob use a public 
channel at some stage of their protocol is very common 
in cryptoprotocols. This channel does not have to be 
confidential, only authentic. Hence any adversary Eve 
can listen to all the communication on the public chan- 
nel, but she cannot modify it. In practice Alice and Bob 
may use the same transmission channel to implement 
boUi the quantum and the classical channels. 

Note that neither Alice nor Bob can decide which key 
results from the protocol.^ Indeed, it is the conjunction 
of both of their random choices that produces the key. 

Let us now consider the security of the above ideed 
protocol (ideal because so far we have not taken into 
account unavoidable noise in practice, due to technical 
imperfections). Assume that some adversary Eve inter- 
cepts a qubit propagating from Alice to Bob. This is very 
easy, but if Bob does not receive an expected qubit, he 
will simply teU Alice to disregard it Hence Eve only 
lowers the bit rate (possibly down to zero), but she does 
not gain any useful information. For real eavesdropping 
Eve must send a qubit to Bob. Ideally she would like to 
send this qubit in its original state, keeping a copy for 
herself. 



2. No-cloning theorem 

Following Wootters and Zurek (1982) one can easily 
prove that perfect copying is impossible in the quantum 
world (see also the anticipatory intuition of Wigner in 
1961, as well as Dieks, 1982 and Milonni and Hardies, 
1982), Let (A denote the original state of the qubit, \b) 
the blank copy,^ and |0) e Hqcm initial state of Eve's 
"quantum copy machine," where the Hilbert space 
Hqcm of the quantum cloning machine is arbitrary. The 
ideal machine would produce 



^his terminology was introduced by Ekert and Huttner in 
1994. 

^Alice and Bob can, however, determine the statistics of the 
key. 

^\b) corresponds to the stock of white paper in an everyday 
photocopy machine. We shall assume that the machine is not 
empty, a purely theoretical assumption, as is well known. 
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ilf^\b)^\Q)-*ilf^^®\U), (3) 

where \f^) denotes the final state of Eve's machine, 
which might depend on t/f. Accordingly, using obvious 
notations, 

lT,^0>^|T,T,/t>. (4) 

and 

li,^,0)-.|i,i,/i). (5) 
By linearity of quantum dynamics it follows that 

l-.i^,0>=^(|T>+U»®|6,0) (6) 

-:^(lTJ/T)+ua,/i)). (7) 

But the latter state differs from the ideal copy [-♦, 
whatever the states |/^) are. 
Consequently, Eve cannot keep a perfect quantum 
copy, because perfect quantum copy machines cannot 
exist. The possibility of copying classical information is 
probably one of the most characteristic features of infor- 
mation in the everyday sense. The fact that quantum 
states, nowadays often called quantum information, can- 
not be copied is certainly one of the most specific at- 
tributes that make this new kind of information so dif- 
ferent and hence so attractive. Actually, this negative 
capability clearly has its positive side, since it prevents 
Eve from perfect eavesdropping and hence makes QC 
potentially secure. 

3. Intercept-resend strategy 

We have seen that the eavesdropper needs to send a 
qubit to Bob while keeping a necessarily imperfect copy 
for herself. How imperfect the copy has to be, according 
to quantum theory, is a delicate problem that we shall 
address in Sec. VI. Here, let us develop a simple eaves- 
dropping strategy, called intercept-resend. This simple 
and even practical attack consists of Eve's measuring 
each qubit in one of the two bases, precisely as Bob 
does. Then, she resends to Bob another qubit in the 
state corresponding to her measurement result. In about 
half of the cases, Eve will be lucky and choose the basis 
compatible with the state prepared by Ahce. In these 
cases she resends to Bob a qubit in the correct state, and 
Alice and Bob will not notice her intervention. How- 
ever, in the other half of the cases, Eve unluckily uses 
the basis incompatible with the state, prepared by Alice. 
This necessarily happens, since Eve has no information 
about Alice's random-number generator (hence the im- 
portance of this generator's being truly random). In 
these cases the qubits sent out by Eve are in states with 
an overlap of j with the correct states. Alice and Bob 
thus discover her intervention in about half of these 
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cases, since they get uncorrelated results. Altogether, if 
Eve uses this intercept-resend strategy, she gets 50% in- 
formation, while Ahce and Bob have about a 25% error 
rate in their sifted key, i.e., after they eliminate the cases 
in which they used incompatible states, there is still 
about 25% error. . They can thus easily detect the pres- 
ence of Eve, If, however, Eve applies this strategy to 
only a fraction of the communication, say 10%, then the 
error rate will be only «»2.5%, while Eve's information 
will be % . The next section explains how Alice and 
Bob can counter such attacks. 

4. Error correction, privacy amplification, and quantum 
secret growing 

At this point in the BB84 protocol, Alice and Bob 
share a so-called sifted key. But this key contains errors. 
The errors are caused by technical imperfections, as well 
as possibly by Eve's intervention. Realistic error rates in 
the sifted key using today's technology are of the order 
of a few percent. This contrasts strongly with the 10"^ 
error rate typical in optical communication. Of course, 
the few-percent error rate will be corrected down to the 
standard 10"^ during the (classical) error correction step 
of the protocol. In order to avoid confusion, especially 
among optical communication specialists, Beat Pemy 
from Smsscom and Paul Townsend, then with British 
Telecommunications (BT), proposed naming the error 
rate in the sifted key QBER, for quantum bit error rate, 
to clearly distinguish it from the bit error rate (BER) 
used in standard communications. 

Such a situation, in which legitimate partners share 
classical mformation with high but not 100% correlation 
and with possibly some correlation to a third party, is 
common to all quantum cryptosystems. Actually, it is 
also a standard starting point for classical information- 
based cryptosystems in which one assumes that some- 
how Ahce, Bob, and Eve have random variables a, /?, 
and €, respectively, with a joint probabihty distribution 
P{a,p,€), Consequently, the last step in a QC protocol 
uses classical algorithms, first to correct the errors, and 
then reduce to Eve's information on the final key, a pro- 
cess called privacy amplification. 

The first mention of privacy amplification appeared in 
Bennett, Brassard, and Robert (1988). It was then ex- 
tended in collaboration with C, Crepeau from the Uni- 
versity of Montreal and U. Maurer of ETH, Ziirich, re- 
spectively (Bennett, Brassard, etal 1995; see also 
Bennett, Bessette, etal, 1992). Interestingly, this work 
motivated by QC found applications in standard 
information-based cryptography (Maurer, 1993; Maurer 
and Wolf, 1999). 

Assume that a joint probabihty distribution P{a,fi,e) 
exists. Near the end of this section, we shall comment on 
this assumption. Ahce and Bob have access only to the 
marginal distribution P(a,/3). From this and from the 
laws of quantum mechanics, they have to deduce con- 
straints on the complete scenario P(a,y3,e); in particu- 
lar they have to bound Eve's information (see Sees. VI.E 
and VI.G). Given ?(a,/?,6), necessary and sufficient 
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conditions for a positive secret-key rate between Alice 
and Bob, 5(a,/3||£), are not yet known. However, a use- 
ful lower bound is given by the difference between Alice 
and Bob's mutual Shannon information I(a,fi) and 
Eve^ mutual information (Csiszar and Korner, 1978, and 
Theorem 1 in Sec. VI.G): 

5(a,i8||6)5=max{/(a,i9)-/(a,€),/(a,^)-/()8,6)}. (8) 

Intuitively, this result states that secure-key distillation 
(Bennett, Bessette, etaL, 1992) is possible whenever 
Bob has more information than Eve. 

The bound (8) is tight if AUce and Bob are restricted 
to one-way communication, but for two-way conmiuni- 
cation, secret-key agreement might be possible even 
when condition (8) is not satisfied (see Sec. n.C.5). 

Without discussing any algorithm in detail, let us offer 
some idea of how Alice and Bob can establish a secret 
key when condition (8) is satisfied. First, once the sifted 
key is obtained (i,e., after the bases have been an- 
nounced), Ahce and Bob publicly compare a randomly 
chosen subset of it. In this way they estimate the error 
rate [more generally, they estimate their marginal prob- 
abiUty distribution P(a,^)]. These pubhcly disclosed 
bits are then discarded. Next, either condition (8) is not 
satisfied and they stop the protocol or condition (8) is 
satisfied and they use some standard error correction 
protocol to get a shorter key without errors. 

With the simplest error correction protocol, Ahce ran- 
domly chooses pairs of bits and announces their XOR 
value (i,e., their sum modulo 2), Bob replies either "ac- 
cept" if he has the same XOR value for his correspond- 
ing bits, or "reject" if not. In the first case, Alice and 
Bob keep the fiarst bit of the pair and discard the second 
one, while in the second case they discard both bits. In 
reahty, more complex and efficient algorithms are used. 

After error correction, Alice and Bob have identical 
copies of a key, but Eve may still have some information 
about it [compatible with condition (8)]. Alice and Bob 
thus need to reduce Eve's information to an arbitrarily 
low value using some privacy amplification protocols. 
These classical protocols typically work as follows. Ahce 
again randomly chooses pairs of bits and computes their 
XOR value. But, in contrast to error correction, she 
does not announce this XOR value. She only announces 
which bits she chose (e.g., bits number 103 and 537). 
Alice and Bob then replace the two bits by their XOR 
value. In this way they shorten their key while keeping it 
error free, but if Eve has only partial information on the 
two bits, her information on the XOR value is even less. 
Assume, for example, that Eve knows only the value of 
the first bit and nothing about the second one. Then she 
has no information at all about the XOR value. Also, if 
Eve knows the value of both bits with 60% probability, 
then the probability that she correctly guesses the XOR 
value is only 0.6^+0.4^ = 52%, This process would have 
to be repeated several times; more efficient algorithms 
use larger blocks (Brassard and Salvail, 1994). 

The error correction and privacy amplification algo- 
rithms sketched above are purely classical algorithms. 
This illustrates that QC is a truly interdisciplinary field. 
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Actually, the above scenario is incomplete. In this pre- 
sentation, we have assumed that Eve measures her 
probe before AUce and Bob run the error correction and 
privacy amphfication algorithms, hence that P{a,p,€) 
exists. In practice this is a reasonable assumption, but in 
principle Eve could wait until the end of all the proto- 
cols and then optimize her measurements accordingly. 
Such "delayed-choice eavesdropping strategies"' are 
discussed in Sec. VI. 

It should by now be clear that QC does not provide a 
complete solution for all cryptographic purposes.^^ Ac- 
tually, quite the contrary, QC can only be used as a 
complement to standard symmetrical cryptosystems. Ac- 
cordingly, a more precise name for QC is quantum key 
distribution, since this is all QC does. Nevertheless, we 
prefer to keep the well-known terminology, which lends 
its name to the title of this review. 

Finally, let us emphasize that every key distribution 
system must incorporate some authentication scheme: 
the two parties must identify themselves. If not, AHce 
could actually be communicating directly with Eve. A 
straightforward approach is for AUce and Bob initiaUy 
to share a short secret Then QC provides them with a 
longer one and they each keep a small portion for au- 
thentication at the next session (Bennett, Bessette, et aL, 
1992). From this perspective, QC is a quantum secret- 
growmg protocol. 

5. Advantage distillation 

QC has motivated and stiU motivates research in clas- 
sical information theory. The best-known example is 
probably the development of privacy amplification algo- 
rithms (Bennett et at. , 1988, 1995). This in turn led to the 
development of new cryptosystems based on weak but 
classical signals, emitted for instance by sateUites (Mau- 
rer, 1993). These new developments required secret- 
key agreement protocols that could be used even when 
condition (8) did not apply. Such protocols, called ad- 
vantage distillation, necessarily use two-way communica- 
tion and are much less efficient than privacy amplifica- 
tion. UsuaUy, they are not considered m the Uterature on 
QC, but conceptually they are remarkable from at least 
two points of view. First, it is somewhat surprising that 
secret-key agreement is possible even if Alice and Bob 
start with less mutual (Shannon) information than Eve. 
They can take advantage of the authenticated pubUc 



^Note, however, that Eve has to choose the interaction be- 
tween her probe and the qubits before the public discussion 
phase of the protocol. 

■^^or a while it was thought that bit commitment (see, for 
example, Brassard, 1988), a powerful primitive in cryptology, 
could be realized using quantum principles. However, Dominic 
Mayers (1996a, 1997) and Lo and Chau (1998) proved it to be 
impossible (see also Brassard et ai, 1998). 

^%ote that here confidentiality is not guaranteed by the laws 
of physics, but relies on the assumption that Eve's technology 
is limited, e.g., her antenna is finite, and her detectors have 
limited efficiencies. 
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channel to decide which series of realizations to keep, 
whereas Eve cannot influence this process^^ (Maurer, 
1993; Maurer and Wolf, 1999). 

Recently, a second remarkable feature of advantage 
distillation, connecting quantum and classical secret-key 
agreement, has been discovered (assuming one uses the 
Ekert protocol described in Sec. ILD.3): If Eve follows a 
strategy that optimizes her Shannon information, under 
the assumption that she attacks the qubits one at a time 
(the so-called individual attack; see Sec. VI.E), then Al- 
ice and Bob can use advantage distillation if and only if 
Alice and Bob^ qubits are still entangled (they can thus 
use quantum privacy amplification; Deutsch et aL, 1996; 
Gisin and Wolf, 1999). This connection between the con- 
cept of entanglement, central to quantum information 
theory, and the concept of intrinsic classical information, 
central to classical information-based cryptography 
(Maurer and Wolf, 1999), has been shown to be general 
(Gisin and Wolf, 2000). The connection seems to extend 
even to bound entanglement (Gisin etoL, 2000). 

D. Other protocols 

1. Two-state protocol 

In 1992 Bennett noticed that four states are more than 
are really necessary for QC: only two nonorthogonal 
states are needed. Indeed the security of QC relies on 
the inability of an adversary to distinguish unambigu- 
ously and without perturbation between the different 
states that Alice may send to Bob; hence two states are 
necessary, and if they are incompatible (i.e., not mutu- 
ally orthogonal), then two states are also sufficient (Ben- 
nett, 1992). This is a conceptually important clarifica- 
tion. It also made several of the first experimental 
demonstrations easier (as is discussed further in Sec, 
IVD). But in practice, it is not a good solution. Indeed, 
although two nonorthogonal states cannot be distin- 
guished unambiguously without perturbation, one can 
unambiguously distinguish between them at the cost of 
some losses (Ivanovic, 1987; Peres, 1988). This possibil- 
ity has been demonstrated in practice (Huttner, Gautier, 
etaL, 1996; Clarke etaL, 2000). Alice and Bob would 
have to monitor the attenuation of the quantum channel 
(and even this would not be entirely safe if Eve were 
able to replace the channel by a more transparent one; 
see Sec. VI.H). The two-state protocol can also be 
implemented using interference between a macroscopic 



^^The idea is that Alice picks out several instances in which 
she got the same bit and communicates the instances — but not 
the bit — to Bob. Bob replies yes only if it happens that for all 
these instances he also has the same bit value: For high error 
rates this is unlikely, but when it does happen there is a high 
probability, that both have the same bit. Eve cannot influence 
the choice of the instances. All she can do is use a majority 
vote for the cases accepted by Bob. The probability that Eye 
makes an error can be much higher than the probability that 
Bob makes an error (i.e., that all his instances are wrong)^ even 
if Eve has more initial information than Bob. 
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FIG. 2. Poincare sphere with a representation of six states that 
can be used to implement the generalization of the BB84 pro- 
tocol. 

bright pulse and a dim pulse with less than one photon 
on average (Bennett, 1992). The presence of the bright 
pulse makes this protocol especially resistant to eaves- 
dropping, even in settings with high attenuation. Bob 
can monitor the bright pulses to make sure that Eve 
does not remove any In this case, Eve cannot eliminate 
the dim pulse without revealing her presence, because 
the interference of the bright pulse with vacuum woidd 
introduce errors. A practical implementation of this so- 
called 892 protocol is discussed in Sec. IV.D. Huttner 
etaL extended this reference-beam monitoring to the 
four-state protocol in 1995. 

2. Six-state protocol 

While two states are enough and four states are stan- 
dard, a six-state protocol better respects the synunetry 
of the qubit state space; see Fig. 2 (Bniss, 1998; 
Bechmann-Pasquinucd and Gisin, 1999). The six states 
constitute three bases, hence the probability that Alice 
and Bob choose the same basis is only 5, but the sym- 
metry of this protocol greatiy simplifies the security 
analysis and reduces Eve's optimal information gain for 
a given error rate QBER. If Eve measures every photon, 
the QBER is 33%, compared to 25% in the case of the 
BB84 protocol. 

3. Einsteln-Podolsky-Rosen protocol 

This variation of the BB84 protocol is of special con- 
ceptual, historical, and practical interest. The idea is due 
to Artur Ekert (1991) of Oxford University, who, while 
elaborating on a suggestion of David Deutsch (1985), 
discovered QC independently of the BB84 paper. Intel- 
lectually, it is very satisfying to see this direct connection 
to the famous EPR paradox (Einstein, Podolski, and 
Rosen, 1935): the initially philosophical debate turned to 
theoretical physics with Bell's inequahty (1964), then to 
experimental physics (Freedmann and Clauser, 1972; Fry 
and Thompson, 1976; Aspect et aL, 1982), and is now — 
thanks to Ekeft's ingenious idea— part of appUed phys- 
ics. 

The idea consists in replacing the quantum channel 
carrying two qubits from Ahce to Bob by a channel car- 
rying two qubits from a common source, one qubit to 
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FIG. 3. Einstein-Podolsky-Rosen (EPR) protocol, with the 
source and a Poincare representation of the four possible 
states measured independently by Alice and Bob. 

Alice and one to Bob. A first possibility would be that 
the source always emits the two qubits in the same state 
chosen randomly among the four states of the BB84 pro- 
tocol Alice and Bob would then both measure their qu- 
bit in one of the two bases, again chosen independently 
and randomly. The source then announces the bases, 
and Alice and Bob keep the data only when they hap- 
pen to have made their measurements in the compatible 
basis. If the source is reliable, this protocol is equivalent 
to that of BB84: It is as if the qubit propagates back- 
wards in time from Alice to the source, and then for- 
ward to Bob. But better than trusting the source, which 
could be in Eve's hand, the Ekert protocol assumes that 
the two qubits are emitted in a maximally entangled 
state like 



(9) 



Then, when Alice and Bob happen to use the same ba- 
sis, either the x basis or the y basis, i.e., in about half of 
the cases, their results are identical, providing them with 
a common key. Note the similarity between the one- 
qubit BB84 protocol illustrated in Fig. 1 and the two- 
qubit Ekert protocol of Fig. 3. The analogy can be made 
even stronger by noting that for all unitary evolutions 
Ui and Ujy the following equality holds: 

U^^U2^^''^^l®U2U[^^^\ (10) 

where U[ denotes the transpose. 

In his 1991 paper Ekert suggested basing the security 
of this two-qubit protocol on Bell's inequahty, an in- 
equahty which demonstrates that some correlations pre- 
dicted by quantum mechanics cannot be reproduced by 
any local theory (Bell, 1964). To do this, Alice and Bob 
can use a third basis (see Fig. 4), In this way the prob- 
ability that they might happen to choose the same basis 
is reduced from \ to |, but at the same time as they 
establish a key, they collect enough data to test Bell's 
inequaUty.^*^ They can thus check that the source really 
emits the entangled state (9) and not merely product 
states. The following year Bennett, Brassard, and Mer- 
min (1992) criticized Ekert's letter, arguing that the vio^ 
lation of Bell*s inequality is not necessary for the secii- 



^^A maximal violation of Bell's inequality is necessary to rule 
out tampering by Eve. In this case, the QBER must necessarily 
be equal to zero. With a nonmaximal violation, as typically 
obtained in experimental systems, Alice and Bob can distill a 
secure key using error correction and privacy amplification. 
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FIG, 4. Illustration of protocols exploiting EPR quantum sys- 
tems. To implement the BB84 quantum cryptographic proto- 
col, Alice and Bob use the same bases to prepare and measure 
their particles. A representation of their states on the Poincare 
sphere is shown. A similar setup, but with Bob^ bases rotated 
by 45", can be used to test the violation of Bell^ mequality. 
Finally, in the Ekert protocol, Alice and Bob may use the vio- 
lation of Bell'is inequality to test for eavesdropping. 

rity of QC and emphasizing the close connection 
between the Ekert and the BB84 schemes. This criticism 
might be missing an important point. Although the exact 
relation between security and Bellas inequahty is not yet 
fully known, there are clear results estabUshing fascinat- 
ing connections (see Sec. VI.F). In October 1992, an ar- 
ticle by Bennett, Brassard, and Ekert demonstrated that 
the founding fathers of QC were able to join forces 
to develop the field in a pleasant atmosphere (Bennett, 
Brassard, and Ekert, 1992). 



4. Other variations 

There is a large collection of variations on the BB84 
protocol. Let us mention a few, chosen somewhat arbi- 
trarily First, one can assume that the two bases are not 
chosen with equal probability (Ardehali etaL, 1998). 
This has the nice consequence that the probability that 
Alice and Bob choose the same basis is greater than 2, 
thus increasing the transmission rate of the sifted key 
However, this protocol makes Eve's job easier, as she is 
more hkely to guess correctly the basis that was used. 
Consequently, it is not clear whether the final key rate, 
after error correction and privacy amplification, is 
higher or not. 

Another variation consists in using quantum systems 
of dimension greater than 2 (Bechmann-Pasquinucci 
and Peres, 2000; Bechmann-Pasquinucci and Tittel, 
2000; Bourennane, Karlsson, and Bjorn, 2001). Again, 
the practical value of this idea has not yet been fully 
determined. 

A third variation worth mentioning is due to Golden- 
berg and Vaidman of Tel Aviv University (1995). They 
suggested preparing the qubits in a superposition of two 
spatially separated states, then sending one component 
of this superposition and waiting until Bob receives it 
before sending the second component. This does npt 
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sound of great practical value, but has the nice concep- 
tual feature that the minimal two states do not need to 
be mutually orthogonal. 

E. Quantum teleportation as a "quantum one-time pad" 

Since its discovery in 1993 by a surprisingly large 
group of physicists, quantum teleportation (Bennett 
etaL, 1993) has received much attention from both the 
scientific community and the general public. The dream 
of beaming travelers through the universe is exciting, 
but completely out of the reahn of any foreseeable tech- 
nology. However, quantum teleportation can be seen as 
the fully quantum version of the one-time pad (see Sec. 
n.B.3), hence as the ultimate form of QC. As in "classi- 
cal teleportation," let us assume that Alice aims to trans- 
fer a faithful copy of a quantum system to Bob. If Alice 
has full knowledge of the quantum state, the problem is 
not really a quantum one (Alice's information is classi- 
cal). If, on the other hand, Alice does not know the 
quantum state, she cannot send a copy, since quantum 
copying is impossible according to quantum physics (see 
Sec. II.C.2). Nor can she send classical instructions, since 
this would allow the production of many copies. How- 
ever, if Alice and Bob share arbitrarily many entangled 
qubits, sometimes called a quantum key, and share a 
classical conmiunication channel, then the quantum tele- 
portation protocol provides them with a means of trans- 
ferring the quantum state of the system from Alice to 
Bob. In the course of running this protocol, Alice's 
quantum system is destroyed without Alice's having 
learned anything about the quantum state, while Bob's 
qubit ends in a state isomorphic to the state of the origi- 
nal system (but Bob does not learn anything about the 
quantum state). If the initial quantum system is a quan- 
tum message coded in the form of a sequence of qubits, 
then this quantum message is faithfully and securely 
transferred to Bob, without any information leaking to 
the outside world (i.e., to anyone not sharing the prior 
entanglement with Alice and Bob). Finally, the quantum 
message could be formed of a four-letter quantum al- 
phabet consisting of the four states of the BB84 proto- 
col. With futuristic but not impossible technology, Alice 
and Bob could keep their entangled qubits in their re- 
spective wallets and could enjoy totally secure commu- 
nication at any time, without even having to know where 
the other is located (provided they can communicate 
classically). 

F. Optical amplification, quantum nondemoiitlon 
measurements, and optimal quantum cloning 

After almost every general talk on QC, two questions 
arise: What about optical amplifiers? and What about 
quantum nondemolition measurements? In this section 
we briefly address these questions. 

Let us start with the second one, as it is the easiest. 
The term "quantum nondemolition measurement" is 
simply confusing. There is nothing like a quantum mea- 
surement that does not perturb (i.e., modify) the quan- 
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turn state, except if the state happens to be an eigenstate 
of the observable. Hence, if for some reason one conjec- 
tures that a quantum system is in some state (or in a 
state among a set of mutually orthogonal ones), one can 
in principle test this conjecture repeatedly (Braginsky 
and Khalili, 1992). However, if the state is only restricted 
to be in a finite set containing nonorthogonal states, as 
in QC, then there is no way to perform a measurement 
without "demoUshing" (perturbing) the state. Now, in 
QC the term "nondemolition measurement" is also used 
with a different meaning: one measures the number of 
photons in a pulse without affecting the degree of free- 
dom coding the qubit (e.g., the polarization; see Sec. 
VI.H), or one detects the presence of a photon without 
destroying it (Nogues etaL, 1999). Such measurements 
are usually called ideal measurements, or projective mea- 
surements, because they produce the least possible per- 
turbation (Piron, 1990) and because they can be repre- 
sented by projectors. It is important to stress that these 
"ideal measurements" do not invaUdate the security of 
QC 

Let us now consider optical amplifiers (a laser me- 
dium, but without mirrors, so that amplification takes 
place in a single pass; see Desurvire, 1994). They are 
widely used in today's optical communication networks. 
However, they are of no use for quantum communica- 
tion. Indeed, as seen in Sec. II.C, the copying of quan- 
tum information is impossible. Here we illustrate this 
characteristic of quantum information by the example of 
optical amplifiers: the necessary presence of spontane- 
ous emission whenever there is stimulated emission pre- 
vents perfect copying. Let us clarify this important and 
often confusing point, following the work of Simon et al 
(1999, 2000; see also De Martini et al, 2000 and Kempe 
et al, 2000). Let the two basic qubit states |0) and |l) be 
physically implemented by two optical modes: 
|0)^|1,0) and |1)^|0,1). Thus |/i,m)^y,®|^,/)^ denotes 
the state of n photons in mode 1 and m photons in mode 
2, while /:,/=0(l) denotes the ground (or excited) state 
of two-level atoms coupled to mode 1 or 2, respectively. 
Hence spontaneous emission corresponds -to 



|0,0)^A®il,0),--.|l,0)^;^® ICO), , (11) 

|0,0)p,® |0,1),-.|0,1)^,® |0,0), , (12) 
and stimulated emission to 

11,0)^,0 11,0),-. v2|2,0),,®|0,0), . (13) 

I0,l>p/:®|0,1),^V5|0,2>,,® |0,0), , (14) 



where the factor of V5 takes into account the ratio of 
stimulated to spontaneous emission. Let the initial state 
of the atom be a mixture of the following two states, 
each with equal (50%) weijgjit: 

|0,1), and |1,0)„ . (15). 

By symmetry, it suffices to consider one possible initial, 
state of the qubit, e.g., one photon in the first mode 
|l,0)pA. The initial state of the photon -I- atom system is 
thus a mixture; 
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|l,0>pA®|l,0)a or |l,0)p;,®|0,l)a. (16) 

This conesponds to the first-order term in an evolution 
with a Hamiltonian (in the interaction picture): H 
=;(^(aJ<rJ"+aio'|4-flJ<r2 +^2^2)- After some time the 
two-photon component of the evolved states becomes 

v^|2,0)^A®|0,0), or |l,l)p/,®|0,0),, (17) 

The correspondence with a pair of spin j goes as fol- 
lows: 

|2,0>=|TT), |0,2)=|ii>, (18) 



|l,l)p,= ^(+)=-^(|Ti)+UT)). 



(19) 



Tracing over the amplifier (Le., the two-level atom), an 
(ideal) amplifier achieves the following transformation: 

P|^2i>|t+^^+), (20) 

where the P's indicate projectors (Le., pure-state density 
matrices) and the lack of normalization results from the 
first-order expansion used in Eqs. (11)~(14). Accord- 
ingly, after normalization, each photon is in the state 



-pA rnode\ ^ 

The corresponding fideUty is 



(21) 



(22) 



which is precisely the optimal fidelity compatible with 
quantum mechanics (Buzek and Hillery, 1996; Gisin and 
Massar, 1997; Brass etaL, 1998). In other words, if we 
start with a single photon in an arbitrary state and pass it 
through an amphfier, then due to the effect of spontane- 
ous emission the fideUty of the state exiting the amph- 
fier, when it consists of exactly two photons, with the 
initial state will be equal to at most 5/6. Note that if it 
were possible to make better copies, then signaling at 
arbitrarily fast speed, using EPR correlations between 
spatially separated systems, would also be possible (Gi- 
sin, 1998). 

III. TECHNOLOGICAL CHALLENGES 

The very first demonstration of QC was a table-top 
experiment performed at the IBM laboratory in the 
early 1990s over a distance of 30 cm (Bennett, Bessette, 
etaL, 1992), marking the start of a series of impressive 
experimental improvements over the past few years. 
The 30-cm distance is of Uttle practical interest. Either 
the distance should be even shorter [think of a credit 
card and an ATM machine (Huttner, Imoto, and Har- 
nett, 1996), in which case all of Alice's components 
should fit on the credit card — a nice idea, but still im- 
practical with present technology] or the distance should 
be much longer, at least in the kilometer range. Most of 
the research so far uses optical fibers to guide the pho- 
tons from Alice to Bob, and we shall mainly concentrate 



on such systems here. There is also, however, some very 
significant research on free-space systems (see Sec 
IV.E). 

Once the medium has been chosen, there remain the 
questions of the source and detectors. Since they have to 
be compatible, the crucial dioice is that of the wave- 
length. There are two main possibiUties. Either one 
chooses a wavelength around 800 nm, for which efficient 
photon counters are commercially available, or one 
chooses a wavelength compatible with today^s telecom- 
munications optical fibers, i.e., near 1300 or 1550 nm. 
The first choice requires free-space transmission or the 
use of special fibers, hence the installed telecommunica- 
tions networks cannot be used. The second choice re- 
quires the improvement or development of new detec- 
tors, not based on silicon semiconductors, which are 
transparent above a wavelength of 1000 nm. 

In the case of transmission using optical fibers, it is 
still unclear which of the two alternatives will turn out to 
be the best choice. If QC finds niche markets, it is con- 
ceivable that special fibers will be installed for that pur- 
pose. But it is equally conceivable that new commercial 
detectors will soon make it much easier to detect single 
photons at telecommunications wavelengths. Actually, 
the latter possibiHty is very likely, as several research 
groups and industries are already working on it. There is 
another good reason to bet on this solution: the quality 
of telecommunications fibers is much higher than that of 
any special fiber; in particular, the attenuation is much 
lower (this is why the telecommunications industry 
chose these wavelengths): at 800 nm, the attenuation is 
about 2 dB/km (i.e., half the photons are lost after 1.5 
km), while it is only of the order of 0.35 and 0.20 dB/km 
at 1300 and 1550 nm, respectively (50% loss after about 
9 and 15 km).^^ 

In the case of free-space transmission, the choice of 
wavelength is straightforward, since the region where 
good photon detectors exist — around 800 nm — coincides 
with that where absorption is low. However, free-space 
transmission is restricted to Hne-of-sight finks and is very 
weather dependent. 

In the next sections we successively consider the ques- 
tions of how to produce single photons (Sec. m.A), how 
to transmit them (Sec. in.B), how to detect single pho- 
tons (Sec, ni.C), and finally how to exploit the intrinsic 
randomness of quantum processes to build random gen- 
erators (Sec. in.D). 

A. Photon sources 

Optical quantum cryptography is based on the use of 
single-photon Fock states. Unfortunately, these states 
are difficult to reahze experimentally. Nowadays, practi- 
cal implementations rely on faint laser pulses or en- 
tangled photon pairs, in which both the photon and the 
photon-pau: number distribution obey Poisson statistics. 



^^he losses in dB (/^^) can be calculated from the losses in 
percent (/%): /^a^ -101ogio[l- (/%/100)]. 
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Hence both possibilities suffer from a small probability 
of generating more than one photon or photon pair at 
the same time. For large losses in the quantum channel, 
even small fractions of these multiphotons can have im- 
portant consequences on the security of the key (see 
Sec. VI.H), leading to interest in "photon guns"; see Sec. 
in.A.3). In this section we briefly conunent on sources' 
based on faint pulses as well as on entangled photon 
pairs, and we compare their advantages and drawbacks. 



1. Faint laser pulses 

There is a very simple solution to approximate single- 
photon Fock states: coherent states with an ultralow 
mean photon number jjl. They can easily be realized us- 
ing only standard semiconductor lasers and calibrated 
attenuators. The probabihty of finding /z photons in such 
a coherent state follows the Poisson statistics: 



(23) 



Accordingly, the probability that a nonempty weak co- 
herent pulse contains more than one photon, 



P(n >l|rt>0,At)= 



1-P(0,m)-P(1,m) 
1-/^(0,/^) 



l-e"^(l + M) 



'1' 



(24) 



can be made arbitrarily small. Weak pulses are thus ex- 
tremely practical and have indeed been used in the vast 
majority of experiments. However, they have one major 
drawback. When fi is small, most pulses are empty: 
P{n-^)*^1 — fi. In principle, the resulting decrease in 
bit rate could be compensated for thanks to the achiev- 
able gigahertz modulation rates of telecommunications 
lasers. But in practice, the problem comes from the de- 
tectors' dark counts (i.e., a click without a photon's ar- 
riving). Indeed, the detectors must be active for all 
pulses, including the empty ones. Hence the total dark 
counts increase with the laser's modulation rate, and the 
ratio of detected photons to dark counts (i.e., the signal- 
to-noise ratio) decreases with fi (see Sec. IV A). The 
problem is especially severe for longer wavelengths, at 
which photon detectors based on indium gaUium ar- 
senide semiconductors (InGaAs) are needed (see Sec. 
III.C), since the noise of these detectors explodes if they 
are opened too frequently (in practice with a rate larger 
than a few megahertz). This prevents the use of really 
low photon numbers, smaller than approximately 1%. 
Most experiments to date have reUed on ;<t=0.1, mean- 
ing that 5% of the nonempty pulses contain more than 
one photon. However, it is important to stress that, as 
pointed out by Liitkenhaus (2000), there is an optimal 



depending on the transmission losses.^^ After key distil- 
lation, the security is just as good with faint laser pulses 
as with Fock states. The price to pay for using such 
states is a reduction of the bit rate. 

2. Photon pairs generated by parametric downconversion 

Another way to create pseudo-single-photon states is 
the generation of photon pairs and the use of one pho- 
ton as a trigger for the other one (Hong and Mandel, 
1986). In contrast to the sources discussed earlier, the 
second detector must be activated only whenever the 
first one has detected a photon, hence when /a=1, and 
not whenever a pump pulse has been emitted, therefore 
circumventing the problem of empty pulses. 

The photon pairs are generated by spontaneous para- 
metric downconversion in a x^^^ nonlmear crystal.*^ In 
this process, the inverse of the well-known frequency 
doubling, one photon spontaneously spUts into two 
daughter photons — traditionally called signal and idler 
photons — conserving total energy and momentum. In 
this context, momentum conservation is called phase 
matching and can be achieved despite chromatic disper- 
sion by exploiting the birefringence of the nonlinear 
crystal Phase matching allows one to choose the wave- 
length and determines the bandwidth of the downcon- 
verted photons. The latter is in general rather large and 
varies from a few nanometers up to some tens of na- 
nometers. For the nondegenerate case one typically gets 
a bandwith of 5-10 nm, whereas in the degenerate case 
(where the central frequency of both photons is equal), 
the bandwidth can be as large as 70 nm. 

This photon-pair creation process is very inefficient; 
typically it takes some 10^° pump photons to create one 
pair in a given mode." The number of photon pairs per 
mode is thermally distributed within the coherence time 
of the photons and follows a Foissonian distribution for 
larger time windows (Walls and Milburn, 1995). With a 
pump power of 1 mW, about 10^ pairs per second can be 
collected in single-mode fibers. Accordingly, in a time 
window of roughly 1 ns, the conditional probability of 
finding a second pair, having already detected one, is 
10^X10~^«0.1%. In the case of continuous pumping, 
this time window is given by the detector resolution. Tol- 
erating, for example, 1% of these multipair events, one 
can generate 10^ pairs per second using a realistic 



^^Contrary to a frequent misconception, there is nothing spe- 
cial about a /x value of 0.1, even though it has been selected by 
most experimentalists. The optimal value— i.e., the value that 
yields the highest key exchange rate after distillation- 
depends on the optical losses in the channel and on assump- 
tions about Eve's technology (see Secs; VI.H and VI.I). 

^^For a review see Rarity and Tapster (1988), arid for more 
recent developments . see Kwiat et at. (1999), Tittel et at 
(1999), Jennewein, Simon, etal. (2000), and Tanzilli et al. 
(2001). 

"Recently we achieved a conversion rate of 10"^ using an 
optical Waveguide in a periodically poled LlNbOs crystal (Tan- 
zilli a/., 2001). 
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FIG. S. Photo of our entangled photon-pair source as used in 
the first long-distance test of Bell'is inequalities (Uttel etaL, 
1998). Note that the whole source fits mto a box only 40X45 
X 15 cm^ in size and that neither a special power supply nor 
water cooling is necessary. 

10-mW pump. To detect, for example, 10% of the trigger 
photons, the second detector has to be activated 10^ 
times per second. In comparison, the example of 1% of 
multiphoton events corresponds in the case of faint laser 
pulses to a mean photon number of ^t=0.02. In order to 
get the same number (10^) of nonempty pulses per sec- 
ond, a pulse rate of 50 MHz is needed. For a given pho- 
ton statistics, photon pairs thus allow one to work with 
lower pulse rates (e.g., 50 times lower) and hence re- 
duced detector-induced errors. However, due to limited 
coupling efficiency in optical fibers, the probability of 
finding the sister photon after detection of the trigger 
photon in the respective fiber is in practice less than 1. 
This means that the effective photon number is not 1 but 
rather fjL^2/3 (Ribor dy .et oL, 2001), still well above ft 
= 0.02. 

Photon pairs generated by parametric downconver- 
sion offer a further major advantage if they are not 
merely used as a pseudo-single-photon source, but if 
their entanglement is exploited. Entanglement leads to 
quantum correlations that can be used for key genera- 
tion (see Sees. n.D.3 and V). In this case, if two photon 
pairs are emitted within the same time window but their 
measurement basis is chosen independently, they pro- 
duce completely uncorrelated results. Hence, depending 
on the realization, the problem of multiple photons can 
be avoided; see Sec. VI.J. 

Figure 5 shows one of our sources creating entangled 
photon pairs at a wavelength of 1310 nm, as used in tests 
of Beli*s inequalities over 10 kilometers (Tittel etaL, 
1998). Although not as simple as faint laser sources, 
diode-pumped photon-pair sources emitting in the near 
infrared can be made compact, robust, and rather handy. 
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3. Photon guns 

The ideal single-photon source is a device that, when 
one pulls the trigger, and only then, emits one and only 
one photon. Hence the name photon gun. Although 
photon antibunchiiig was first demonstrated years ago 
(Kimble et aL, 1977), a practical and handy device is still 
awaited. At present, there are essentially three different 
experimental approaches that more or less come dose to 
this ideal. 

A first idea is to work with a single two-level quantum 
system that obviously cannot emit two photons at a 
time. The manipulation of single trapped atoms or ions 
requires a much too involved technical effort Single or- 
ganic dye molecules in solvents (Kitson etaL, 1998) or 
solids (Brunei et al, 1999; Fleury et aL, 2000) are easier 
to handle but offer only limited stability at room tem- 
perature. A promising candidate, however, is the 
nitrogen-vacancy center in diamond, a substitutional ni- 
trogen atom with a vacancy trapped at an adjacent lat- 
tice position (Brouri et aL, 2000; Kurtsiefer et oL, 2000). 
It is possible to excite individual nitrogen atoms with a 
532-nm laser beam, which will subsequently emit a fluo- 
rescence photon around 700 nm (12-ns decay time). The 
fluorescence exhibits strong photon antibunching, and 
the samples are stable at room temperature. However, 
the big remaining experimental challenge is to increase 
the collection efficiency (currently about 0.1%) in order 
to obtain mean photon numbers close to 1. To obtain 
this efficiency, an optical cavity or a photonic band-gap 
structure must suppress emission in all spatial modes but 
one. In addition, the spectral bandwidth of this type of 
source is broad (on the order of 100 nm), enhancing the 
effect of perturbations in a quantmn channel. 

A second approach is to generate photons by single 
electrons in a mesoscopic p-n junction. The idea is to 
profit from the fact that thermal electrons show anti- 
bunching (the Pauli exclusion principle) in contrast to 
photons (Imamoglu and Yamamoto, 1994). The first ex- 
perimental results have been presented (Kim etaLy 
1999), but with extremely low efficiencies^ and only at a 
temperature of 50 mK! 

Finally, another approach is to use the photon emis- 
sion of electron-hole pairs in a semiconductor quantum 
dot. The frequency of the emitted photon depends on 
the number of electron-hole pairs present in the dot. 
After one creates several such pairs by optical pumping, 
they will sequentially recombine and hence emit pho- 
tons at different frequencies. Therefore, a single-photon 
pulse can be obtained by spectral filtering (Gerard et aL, 
1999; Michler etaL, 2000; Santori etaL, 2000). These 
dots can be integrated in solid-state microcavities with 
strong enhancements of spontaneous emission (Gerard 
et.aL, 19%). 

In summary, today's photon guns are still too compli- 
cated to be lised in a QC prototype. Moreover, due to 
their low quantum efficiencies, they do not offer an ad- 
vantage over faint laser pulses with extremely low mean 
photon numbers jjl. 



67 



158 



GIsin et a/.: Quantum cryptography 



B. Quantum channels 

The single-photon source and the detectors must be 
connected by a "quantum channel." Such a channel is 
not especially quantum, except that it is intended to 
carry information encoded in individual quantum sys- 
tems. Here "individual" does not mean "nondecom- 
posible," but only the opposite of "ensemble." The idea 
is that the information is coded in a physical system only 
once, in contrast to classical communication, in which 
many photons carry the same information. Note that the 
present-day limit for fiber-based classical optical com- 
munication is akeady down to a few tens of photons, 
although in practice one usually uses many more. With 
increasing bit rate and limited mean power — ^imposed to 
avoid nonlinear effects in silica fibers — ^these figures are 
likely to get closer and closer to the quantum domain. 

Individual quantum systems are usually two-level sys- 
tems, called qubits. During their propagation they must 
be protected from environmental noise. Here "environ- 
ment" refers to everything outside the degree of free- 
dom used for the encoding, which is not necessarily out- 
side the physical system. If, for example, the information 
is encoded in the polarization state, then the optical fre- 
quencies of the photon are part of the environment. 
Hence couphng between the polarization and the optical 
frequency has to be mastered^^ (e;g., by avoiding wave- 
lengthrsensitive polarizers and birefringence). Moreover, 
the sender of the qubits should avoid any correlation 
between the polarization and the spectrum of the pho- 
tons. 

Another difficulty is that the bases used by Alice to 
code the qubits and the bases used by Bob for his mea- 
surements must be related by a known and stable uni- 
taiy transformation. Once this unitary transformation is 
known, Alice and Bob can compensate for it and get the 
expected correlation between their preparations and 
measurements. If it changes with time, they need active 
feedback to track it, and if the changes are too fast, the 
communication must be interrupted. 

1. Single-mode fibers 

light is guided in optical fibers thanks to the refrac- 
tive index profile n(x,y) across the section of the fibers 
(traditionally, the z axis is along the propagation direc- 
tion). Over the last 25 years, a lot of effort has gone into 
reducing transmission losses — initially several dB per 
km — and today the attenuation is as low as 2 dB/km at 
800-nm wavelength, 0.35 dB/km at 1310 nm, and 0,2 
dB/km at 1550 nm (see Fig. 6). It is amusing to note that 
the dynamical equation describing optical pulse propa- 
gation (in the usual slowly varying envelope aproxima- 
tion) is identical to the Schrodinger equation, with 
V(x,y) = -n{x,y) (Snyder, 1983). Hence a positive 
bump in the refractive index corresponds to a potential 
well. The region of the well is called the fiber core. If the 



^^Note that, as we shall see in Sec. V, using entangled photons 
prevents such information leakage. . 
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FIG. 6. Transmission losses vs wavelength in optical fibers. 
Electronic transitions in Si02 lead to absorption at lower 
wavelengths, and excitation of vibrational modes leads to 
losses at higher wavelengths. Superposed is the absorption due 
to Rayleigh backscattering and to transitions in. OH groups. 
Modem telecommunications are based on wavelengths around 
1.3 fan (the second telecommunications window) and 1^ puna. 
(the third teleconununications window). 

core is large, many bound modes exist, corresponding to 
many guided modes in the fiber. Such fibers are called 
multimode fibers. They usually have cores 50 fim m di- 
ameter. The modes couple easily, acting on the quhit Uke 
a nonisolated environment. Hence multimode fibers are 
not appropriate as quantum channels (see, however, 
Townsend, 1998a, 1998b). K, however, the core is small 
enough (diameter of the order of a few wavelengths), 
then a single spatial mode is guided. Such fibers are 
called single-mode fibers. For teleconununications wave- 
lengths (i,e., 1.3 and 1.5 /tm), their core is typically 8 ^tm 
in diameter. Single-mode fibers are very well suited to 
carry single quanta. For example, the optical phase at 
the output of a fiber is in a stable relation with the phase 
at the input, provided the fiber does not become elon- 
gated. Hence fiber interferometers are very stable, a fact 
exploited in many instruments and sensors (see, for ex- 
ample, Cancellieri, 1993). 

Accordingly, a single-mode fiber with perfect cyhndric 
symmetry would provide an ideal quantmn channel But 
. ail real fibers have some asymmetries, so that the two 
polarization modes are no longer degenerate, but rather 
each has its own propagation constant. A similar effect 
is caused by chromatic dispersion, in which the group 
delay depends on the wavelength. Both dispersion ef- 
fects are the subject of the next subsections. 

2. Polarization effects in single-mode fibers 

Polarization effects in single-mode fibers are a com- 
mon source of problems in all optical communication 
schemes, classical as well as quantum ones. In recent 
years these effects have been the subject of a major re- 
search effort in classical optical commUnicationi (Gisin 
etaL, 1995). As a result, today's .fibers are much better 
than the fibers of a decade ago. Today, the remaining 
birefringence is small enough for the telecommunica- 
tions industry, but for quantum communication any 
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birefringence, even extremely small, will always remain 
a concern. All fiber-based implementations of QC have 
to face this problem. This is clearly true for polarization- 
based systems, but it is equally a concern for phase- 
based systems, since interference visibility depends on 
the polarization states. Hence, although polarization ef- 
fects are not the only source, of difficulties, we shall de- 
scribe them in some detail, distinguishing among four 
effects: the geometric phase, birefringence, polarization 
mode dispersion, and polarization-dependent losses. 

The geometric phase as encountered when guiding 
light in an optical fiber is a special case of the Berry 
phase,^^ which results when any parameter describing a 
property of the system under concern, here the k vector 
characterizing the propagation of the Ught field, under- 
goes an adiabatic change. Think first of a linear polar- 
ization state, let us say vertical at the input. Will it still 
be vertical at the output? Vertical with respect to what? 
Certainly not the gravitational field! One can follow that 
linear polarization by hand along the fiber and see how 
it may change even along a closed loop. If the loop stays 
in a plane, the state after a loop coincides with the input 
state, but if the loop explores the three dimensions of 
our space, then the final state will differ from the initial 
one by an angle. Similar reasoning holds for the axes of 
elliptical polarization states. The two circular polariza- 
tion states are the eigenstates. During parallel transport 
they acquire opposite phases, called the Berry phases. 
The presence of a geometrical phase is not fatal for 
quantum communication. It simply means that initially 
Alice and Bob have to ahgn their systems by defining, 
for instance, the vertical and diagonal directions (i.e., 
performing the unitary transformation mentioned be- 
fore). If these vary slowly, they can be tracked, though 
this requires active feedback. However, if the variations 
are too fast, the communication might be interrupted. 
Hence aerial cables that swing in the wind are not ap- 
propriate (except with self-compensating configurations; 
see Sec. IV.C.2). 

Birefringence is the presence of two different phase 
velocities for two orthogonal polarization states. It is 
caused by asymmetries in the fiber geometry and in the 
residual stress distribution inside and around the core. 
Some fibers are made birefringent on purpose. Such fi- 
bers are called polarization-maintainiag fibers because 
the birefringence is large enough to effectively uncouple 
the two polarization eigenmodes. Note that only these 
two orthogonal polarization modes are maintained; all 
other modes, in contrast, evolve very quickly, making 
this kind of fiber completely unsuitable for polarization- 



^^he Berry phase was introduced by Michael Berry in 1984, 
and was then observed in optical fiber by Tomita and Chiao 
(1986) and on the single-photon level by Hariharan et al 
(1993), It was studied in connection with photon pairs by Bren- 
del et aL (1995), 
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based QC systems.^ The global effect of the birefrin- 
gence is equivalent to an arbitrary combination of two 
waveplates; that is, it corresponds to a unitary transfor- 
mation. If this transformation is stable, Alice and Bob 
can compensate for it. The effect of birefringence is thus 
similar to the effect of the geometric phase, though, in 
addition to causing a rotation, it may also affect the el- 
Upticity. Stability of birefringence requires slow thermal 
and mechanical variations. 

Polarization mode dispersion (PMD) is the presence 
of two different group velocities for two orthogonal po- 
larization modes. It is due to a delicate combination of 
two causes. First, birefringence produces locally two 
group velocities. For optical fibers, this local dispersion 
is m good approximation equal to the phase dispersion, 
of the order of a few picoseconds per kilometer. Hence, 
an optical pulse tends to split locally into a ^t mode 
and a slow mode. But becaiise the birefringence is small, 
the two modes couple easily. Hence any small imperfec- 
tion along the fiber produces polarization mode cou- 
pling: some energy of the fast mode couples into the 
slow mode and vice versa. PMD is thus similar to a ran- 
dom walk^^ and grows only with the square root of the 
fiber length. It is ejroressed in pskm" , with values as 
low as 0.1 pskm"^^ for modem fibers and possibly as 
high as 0.5 or even Ipskm"^^ for older ones. 

Typical lengths for polarization mode coupling vary 
from a few meters up to hundreds of meters. The stron- 
ger the coupling, the weaker the PMD (the two modes 
do not have time to move apart between the coupHngs). 
In modern fibers, the couplings are even artificially in- 
creased during the drawing process of the fibers (Hart 
et aLy 1994; Li and Nolan, 1998). Since the couplings are 
exceedingly sensitive, the only reasonable description is 
a statistical one, hence PMD is described as a statistical 
distribution of delays St, For sufficiently long fibers, the 
statistics are Maxwellian, and PMD is related to the fi- 
ber length /, the mean coupling length /j, the mean 
modal birefringence B, and therms dela y as follows 
(Gisin etui, 1995): PMD= 4{{Sr'))^Bhyl7lh. Polar- 
ization mode dispersion could cause depolarization, 
which would be devastating for quantum communica- 
tion, similar to any decoherence in quantum information 
processing. Fortunately, for quantum conmaunication the 
remedy is easy; it suffices to use a source with a coher- 
ence time longer than the largest delay 6t. Hence, when 
laser pulses are used (with typical spectral widths AX 
^1 nm, corresponding to a coherence time >3 ps; see 
Sec. in.A.l), PMD is no real problem. For photons cre- 



^^Polarization-maintaining fibers may be of use for phase- 
based QC systems. However, this requires that the whole 
setup — transmission lines as well as interferometers at each 
end — be made of polarization-maintaining fibers. While this is 
possible in principle^ the need to install a completely new. fiber 
network makes this solution not very practical. 

^4n contrast to Brownian motion, which describes particle 
diffusion in space as time passes, here photons diffuse over 
time as they propagate along the fiber. 
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ated by parametric downconversion, however, PMD can 
impose severe limitations, since AX^IO nm (coherence 
time ^300 fe) is not unusual. 

Polarization-dependent loss is a differential attenua- 
tion between two orthogonal polarization modes. This 
effect is negligible in fibers, but can be significant in 
components like phase modulators. In particular, some 
integrated optics waveguides actually guide only one 
mode and thus behave almost like polarizers (e.g., pro- 
ton exchange waveguides in LiNbOa). Polarization- 
dependent losses are usually stable, but if connected to a 
fiber with some birefringence, the relation between the 
polarization state and the loss may fluctuate, producing 
random outcomes (Elamari etaL, 1998). Polarization- 
dependent loss cannot be described by a unitary opera- 
tor acting in the polarization state space (but it is of 
course unitary in a larger space (Huttner, Gautier, et al, 
1996). Thus it does not preserve the scalar product. In 
particular, it can turn nonorthogonal states into orthogo- 
nal ones, which can then be distinguished unambigu- 
ously (at the cost of some loss; Huttner, Gautier, etaly 
1996; Qarke etaL, 2000). Note that this attenuation 
could be used by Eve, especially to eavesdrop on the 
two-state protocol (Sec. II.D.1). 

Let us conclude this section on polarization effects in 
fibers by mentioning that they can be passively compen- 
sated for, provided one uses a go-and-retum configura- 
tion, with Faraday mirrors, as described in Sec. IV.C.2. 

3. Chromatic dispersion effects In single-mode fibers 

In addition to polarization effects, chromatic disper- 
sion can also cause problems for quantum cxyptography. 
For instance, as explained in Sees. IV.C and V.B, 
schemes implementing phase or phase-and-time coding 
rely on photons arriving at well-defined times, that is, on 
photons well localized in space. However, in dispersive 
media like optical fibers, different group velocities act as 
a noisy environment on the localization of the photon as 
well as on the phase acquired in an interferometer. 
Hence the broadening of photons featuring nonzero 
bandwidth, or, in other words, the coupling between fre- 
quency and position, must be circumvented or con- 
trolled. This implies working with photons of small 
bandwidth, or, as long as the bandwidth is not too large, 
operating close to the wavelength Xq at which chromatic 
dispersion is zero, i.e., for standard fibers around 1310 
nm. Fortunately, fiber losses are relatively small at this 
wavelength and amount to *«0.35 dB/km. This region is 
called the second telecommunications window.^ There 
are also special fibers, called dispersion-shifted fibers, 
with a refractive index profile such that the chromatic 



^The first one, around 800 nm, is almost no longer used. It 
was motivated by the early existence of sources and detectors 
at this wavelength. The third window is around 1550 nm, 
where the attenuation reaches an absolute minimum (Thomas 
et ai, 2000) and where erbium-doped fibers provide conve- 
nient amplifiers (Desurvire, 1994). 
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dispersion goes to zero around 1550 nm, where the at- 
tenuation is minimal (Neumann, 1988).^ 

Chromatic dispersion does not constitute a problem in 
the case of faint laser pulses, for which the bandwidth is 
small. However, it becomes a serious issue when utilizing 
photon pairs created by parametric downconversion. 
For instance, sending photons of 70-nm bandwidth (as 
used in our long-distance tests of Bell's inequaUty; Uttel 
et al, 1998) down 10 km of optical fibers leads to a tem- 
poral spread of around 500 ps (assuming photons cen- 
tered at \o a typical dispersion slope of 
0.086 psnm^^km"^). However, this can be compen- 
sated for when using energy-time-entangled photons 
(Franson, 1992; Steinberg etal, 1992a, 1992b, Larchuk 
et al, 1995). In contrast to polarization coding, in which 
frequency and the physical property used to implement 
the qubit are not conjugate variables, frequency and 
time (thus position) constitute a Fourier pair. The strict 
energy anticorrelation of signal and idler photons en- 
ables one to achieve a dispersion for one photon that is 
equal in magnitude but opposite in sign to that of the 
sister photon, thus corresponding to the same delay^'^ 
(see Fig. 7). The effect of broadening of the two wave 
packets then cancels out, and two simultaneously emit- 
ted photons stay coincident. However, note that the ar- 
rival time of the pair varies with respect to its emission 
time. The frequency anticorrelation also provides the 
basis for avoiding a decrease in visibility due to di^erent 
wave packet broadening in the two arms of an interfer- 
ometer. Since the choromatic dispersion properties of 
optical fibers do not change with time — ^in contrast to 
birefringence — ^no active tracking and compensation are 
required. It thus turns out that phase and phase-time 
coding are particularly suited to transmission over long 
distances in optical fibers: nonlinear effects decohering 
the qubit "energy" are completely negUgible, and chro- 
matic dispersion effects acting on the localization can be 
avoided or compensated for in many cases. 



4. Free-space links 

Although today's telecommunications based on opti- 
cal fibers are very advanced, such channels may not al- 
ways be available. Hence there is also some effort in 
developing free-space line-of-sight communication sys- 



^Chromatic dispersion in fibers is mainly due to the material, 
essentially silicon, but also to the refractive index profile. In- 
deed, longer wavelengths feel regions farther away from the 
core where the refractive index is lower. Dispersion-shifted fi- 
bers have, however, been abandoned by today's industry, be- 
cause it has turned but to be simpler to compensate for the 
global chromatic dispei^ion by adding an extra fiber with high 
negative dispersion: The additional loss is then compensated, 
for by an erbiufn-doped fiber amplifier. 
^'^Here we assume a predominantly linear dependence of 
chromatic dispersion as a function of the optical frequency, a 
realistic assumption. 
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FIG. 7. Illustration of cancellation of chromatic dispersion ef- 
fects in the fibers connecting an entangled-particle source and 
two detectors. The figure shows differential group delay curves 
for two slightly different fibers approxunately 10 km long. Us- 
ing frequency-correlated photons with central frequency 
<wo — determined by the properties of the fibers — the difference 
in propagation times t%-tx between the signal (at a),l,a),2) 
and idler (at cUjl.tUjZ) photon is the same for all <t),,(t>j. Note 
that this cancellation scheme is not restricted to signal and 
idler photons at nearly equal wavelengths. It also applies to 
asymmetrical setups in which the signal photon (generating the 
trigger to indicate the presence of the idler photon) is at a 
short wavelength of around 800 nm and travels only a short 
distance. Using a fiber with appropriate zero dispersion wave- 
length X.0 > it is still possible to achieve equal differential group 
delay with respect to the energy-correlated idler photon sent 
through a long fiber at a telecommunications wavelength. 

tems, not only for classical data transmission but also for 
quantum Glyptography (see Hughes, Buttler, etal, 2000 
and Gorman era/., 2000). 

Transmission over free space features some advan- 
tages compared to the use of optical fibers. The atmo- 
sphere has a high transmission window at a wavelength 
of around 770 nm (see Fig. 8), where photons can easily 
be detected using commercial, high-efficiency photon- 
counting modules (see Sec. in,C.l). Furthermore, the 
atmosphere is only weakly dispersive and essentially 
nonbirefringent" at these wavelengths. It will thus not 
alter the polarization state of a photon. 

However, there are some drawbacks concerning free- 
space links as well. In contrast to the signal transmitted 
in a guiding medium where the energy is "protected" 
and remains localized in a small region of space, the 
energy transmitted via a free-space link spreads out, 
leading to higher and varying transmission losses. In ad- 
dition to loss of energy, ambient daylight, or even moon- 
light at night, can couple into the receiver, leading to a 
higher error rate. However, such errors can be kept to a 
reasonable level by using a combination of spectral fil- 
tering (interference filters ^ 1 nm), spatial filtering at the 
receiver, and timing discrimination using a coincidence 



. ^In contrast to an optical fiber, air is not subject to stress and 
is hence isotropic: 
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FIG. 8. Transmission losses in free space as calculated using 
the LOWTRAN code for earth-to-space transmission at the el- 
evation and location of Los Alamos, USA. Note that there is a 
low-loss window at around 770 nm — a wavelength at which 
high-efficiency silicon APD's can be used for single-photon de- 
tection (see also Fig. 9 and compare to Fig. 6). Figure courtesy 
of Richard Hughes. 

window of typically a few nanoseconds. Finally, it is clear 
that the performance of free-space systems depends dra- 
matically on atmospheric conditions and is possible only 
in clear weather. 

Finally, let us briefly comment on the different sources 
leading to coupling losses. A first concern is the trans- 
mission of the signals through a turbulent medium, lead- 
ing to arrival-time jitter and beam wander (hence prob- 
lems with beam pointing). However, as the time scales 
for atmospheric turbulences involved are rather small — 
around 0.1-0.01 s — the time jitter due to a variation of 
the effective refractive index can be compensated for by 
sending a reference pulse at a different wavelength a 
short time (around 100 ns) before each signal pulse. 
Since this reference pulse experiences the same atmo- 
spheric conditions as the subsequent one, the signal will 
arrive essentially without jitter in the time window de- 
fined by the arrival of the reference pulse. In addition, 
the reference pulse can be reflected back to the trans- 
mitter and used to correct the direction- of the laser 
beam by means of adaptive optics, hence compensating 
for beam wander and ensuring good beam pointing. 

Another issue is beam divergence, hence increase of 
spot size at the receiver end caused by diffraction at the 
transmitter aperture. Using, for example, 20-cm- 
diameter optics, one obtains a diffraction-limited spot 
size after 300 km of '^l m. This effect can in principle be 
kept small by taking advantage of larger optics. How- 
ever, it can also be advantageous to have a spot size that 
is large compared to the receiver's aperture in order to 
ensure constant coupUng in case of remaining beam 
wander. In their 2000 paper, Gilbert and Hamrick pro- 
vide a comprehensive discussion of free-space channels 
in the context of QC. 

C. Single-photon detection 

With the availability of ' pseudo'-sipgle-photon and 
photoii-pair sources, the success of quantum cryptogra- 
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phy essentially depends on the ability to detect single 
photons. In principle, this can be achieved using a vari- 
ety of techniques, for . instance, photomultiphers, ava- 
lanche photodiodes, multichannel plates, and supercon- 
ducting Josephson junctions. The ideal detector should 
fulfill the following requirements: 

• the quantum detection efficiency should be high 
over a large spectral range, 

• the probabihty of generating noise, that is, a signal 
without an arriving photon, should be small, 

• the time between detection of a photon and genera- 
tion of an electrical signal should be as constant as pos- 
sible, ie., the time jitter should be small, to ensure good 
timing resolution, 

• the recovery time (i.e., the dead time) should be 
short to allow high data rates. 

In addition, it is important to keep the detectors prac- 
tical For instance, a detector that needs liquid helium or 
even nitrogen cooling would certainly render commer- 
cial development difficult. 

Unfortunately, it turns out that it is impossible to ful- 
fill all the above criteria at the same time. Today, the 
best choice is avalanche photodiodes (APD's). Three 
different semiconductor materials are used: either sili- 
con, germanium, or indium gallium arsenide, depending 
on the wavelengths, 

AFDs are usually operated in the so-called Geiger 
mode. In this mode, the applied voltage exceeds the 
breakdown voltage, leading an absorbed photon to trig- 
ger an electron avalanche consisting of thousands of car- 
riers. To reset the diode, this macroscopic current must 
be quenched — the emission of charges must be stopped 
and the diode recharged (Cova et al, 1996). Three main 
possibilities exist 

• In passive-quenching circuits, a large (50-500 kfi) 
resistor is connected in series with the APD (see, for 
example, Brown etal, 1986). This causes a decrease in 
the voltage across the APD as soon as an avalanche 
starts. When it drops below breakdown voltage, the ava- 
lanche stops and the diode recharges. The recovery time 
of the diode is given by its capacitance and by the value 
of the quench resistor. The maximum count rate varies 
from a few hundred kilohertz to a few megahertz, 

• In active-quenching circuits, the bias voltage is ac- 
tively lowered below the breakdown voltage as soon as 
the leading edge of the avalanche current is detected 
(see, for example, Brown et al, 1987), This mode makes 
possible higher count rates than those in passive quench- 
ing (up to tens of megahertz), since the dead time can be 
as short as tens of nanoseconds. However, the fast elec- 
tronic feedback system makes active-quenching circuits 
much more complicated than jpassive ones, 

• Finally, in gated-mode operation, the bias voltage is 
kept below the breakdown voltage and is raised above it 
only for a short time, typically a few nanosecods when a 
photon is expected to arrive. Maximum count rates simi- 
lar to those in active-quenching circuits can be obtained 
using less complicated electronics. Gated-mode opera- 
tion is commonly used in quantum cryptography based 
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on faint laser pulses, for which the arrival times of the 
photons are well known. However, it only applies if 
prior timing information is available. For two-photon 
schemes, it is most often combined with a passive- 
quenched detector, generating the trigger signal for the 
gated detector. 

In addition to Geiger mode. Brown and Daniels 
(1989) have investigated the performance of siUcon 
APD*s operated in sub-Geiger mode. In this mode, the 
bias voltage is kept shghtly smaller than the breakdown 
voltage such that the multiplication factor — ^around 
IOO-hIs sufficient to detect an avalanche, yet, is still 
small enough to prevent real breakdowns. Unfortu- 
nately, the single-photon counting performance in this 
mode is rather poor, and thus efforts have not been con- 
tinued, the major problem being the need for extremely 
low-noise amplifiers. 

An avalanche engendered by carriers created in the 
conduction band of the diode can be set off not only by 
an impinging photon, but also by unwanted causes. 
These might be thermal or band-to-band tunneling pro- 
cesses, or emissions from trapping levels populated 
while a current transits through the diode. The £ist two 
produce avalanches not due to photons and are referred 
to as dark counts. The third process depends on previous 
avalanches and its effects are called afterpulses. Since 
the number of trapped charges decreases exponentially 
with time, these afterpulses can be Umited by applying 
large dead times. Thus there is a tradeoff between high 
count rates and low afterpulses. The time constant of the 
exponential decrease of afterpulses shortens for higher 
temperatures of the diode. Unfortunately, operating 
APD*s at higher temperatures leads to a higher fraction 
of thermal noise, that is, higher dark counts. Thus there 
is again a tradeoff to be optimized. Finally, increasing 
the bias voltage leads to a higher quantum efficiency and 
a smaller time jitter, at the cost of an increase in noise. 

We thus see that the optimal operating parameters — 
voltage, temperature, and dead time (i.e., maximum 
count rate)— -depend on the specific application. More- 
over, since the relative magnitudes of efficiency, thermal 
noise, and afterpulses vary with the type of semiconduc- 
tor material used, no general solution exists. In the next 
two sections we briefly discuss the different types of 
APD's, The first section focuses on siUcon APD's for the 
detection of photons at wavelengths below 1 /xm; the 
second comments oil germanium and on indium gaUium 
arsenide APD^ for photon counting at telecommunica- 
tions wavelengths. The different behavior of the three 
types is shown in Fig. 9. Although the best figure of 
merit for quantum cryptography is the ratio of dark- 
count rate R to detection efficiency 77, we show here the 
better-known noise equivalent power (NEP), which 
shows similar behavior. The noise equivalent power is 
defined as the optical power required to measure a unity 
signal-to-noise ratio and is given by 

NEP--—yl2R: ' (25) 
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FIG. 9. Noise equivalent power as a function of wavelength for 
silicon, germanium, and InGaAs/InP APD^. 

Here, h is Planck's constant and vis the frequency of the 
impinging photons. 

1. Photon counting at wavelengths below 1.1 /un 

Since the beginning of the 1980s much work has been 
done to characterize silicon APD^ for single-photon 
counting (Ingerson 1983; Brown et al, 1986, 1987; 
Brown and Daniels, 1989; Spinelli, 1996), and the perfor- 
mance of Si APD's has continuously been improved 
Since the first test of Bell's inequality using Si APD's by 
Shih and Alley in 1988, they have completely replaced 
the photomultipliers used until then in the domain of 
fundamental quantum optics, now known as quantum 
conmiunication. Today, quantum efficiencies of up to 
76% (Kwiat et al, 1993) and time jitter as low as 28 ps 
(Cova etal, 1989) have been reported. Commercial 
single-photon counting modules are available (for ex- 
ample, EG&G SPCM-AQ-151), featuring quantum effi- 
ciencies of 70% at a wavelength of 700 nm, a time jitter 
of around 300 ps, and maximum count rates higher than 
5 MHz. Temperatures of - 20 sufficient to keep 
thermally generated dark counts as low as 50 Hz— can 
easily be achieved using Peltier cooling. Single-photon 
counters based on silicon APD*s thus offer an ahnost 
perfect solution for all applications in which photons of 
wavelengths below 1 /un can be used. Apart from fun- 
damental quantum optics, these applications include 
quantum cryptography in free space and in optical fi- 
bers; however, due to high losses, the latter works only 
over short distances. 

2. Photon counting at telecommunications wavelengths 

When working in the second telecommunications win- 
dow (1.3 /Am), one can take advantage of APD's made 
from germanium or InGaAs/InP semiconductor materi- 
als. In the third window (1.55 fjm), the only option is 
InGaAs/InP 

Photon counting with germanium APD's, although 
known for 30 years (Haecker et al, 1971), began to be 
used in quantum communication as the need arose to 
transmit single photons over long distances using optical 
fibers, which necessitated working at telecommunica- 
tions wavelengths. In 1993, Townsend, Rarity, and Tap- 



ster (1993a) implemented a single-photon interference 
scheme for quantimi cryptography over a distance of 10 
km, and in 1994, Tapster, Rarity, and Owens demon- 
strated a violation of Bell's inequahties over 4 km. Iliese 
experiments were the first to take advantage of Ge 
APD's operated in passively quenched Geiger mode. At 
a temperature of 77 K, which can be achieved using ei- 
ther liquid nitrogen or Stirling engine cooling, typical 
quantum efficiencies of about 15% at dark-count rates 
of 25 kHz can be achieved (Owens et al, 1994), and time 
jitter down to 100 ps has been observed (Lacaita et al, 
1994) a normal value being 200-300 ps. 

Traditionedly, germanium APD's have been imple- 
mented in the domain of long-distance quantum com- 
munication. However, this type of diode is currendy be- 
ing replaced by InGaAs APD's, and it has become more 
and more difficult to find germanium APD's on the mar- 
ket. Motivated by pioneering research reported in 1985 
(Levine etal, 1985), the latest research focuses on 
InGaAs APD's, which allow single-photon detection in 
both telecommunications windows. Starting with work 
by Zappa et al (1994), InGaAs APD's as single-photon 
counters have meanwhile been thoroughly characterized 
(Lacaita et al, 1996; Ribordy et al, 1998; Karlsson et al, 
1999; Hiskett et al , 2000; Rarity et al . 2000; Stucki et al , 
2001), and the first implementations for quantum cryp- 
tography have been reported (Ribordy, 1998; Bouren- 
nane et al, 1999; Bethune and Risk, 2000; Hughes, Mor- 
gan, and Peterson, 2000; Ribordy et al, 2000). However, 
if operating Ge APD's is already more inconvenient 
than using silicon APD's, the practicality of InGaAs 
APD's is even worse, the problem being an extremely 
high afterpulse fraction. Therefore operation in passive- 
quenching mode is impossible for applications in which 
low noise is crucial. In gated mode, InGaAs APD's are 
better for single-photon counting at 1.3 /mi than Ge 
APD's. For instance, at a temperature of 77 K and a 
dark-count probability of 10"^ per 2,6-ns gate, quantum 
efficiencies of around 30% and 17% have been reported 
for InGaAs and Ge APD's, respectively (Ribordy etal, 
1998), while the time jitter of both devices is compa- 
rable. If working at a wavelength of 1.55 /im, the tem- 
perature has to be inqreased for single-photon detection. 
At 173 K and a dark-count rate of 10""^, a quantum 
efficiency of 6% can still be observed using InGaAs/InP 
devices, while the same figure for germanium APD's is 
close to zero. 

To date, no industrial effort has been made to opti- 
mize APD's operating at telecommunications wave- 
lengths for photon counting, and their performance still 
lags far behind that one of silicon APD's.^ However, 
there is no fundamental reason why photon counting at . 
wavelengths above 1 pm should be more difficult than at 
wavelengths below 1 pm except that the high- 



first commercial photon counter at telecommunications 
wavelengths came out only thfe year (the Hamamatsu photo- 
multiplier R5509-72).. However, its efficiency is not. yet suffi- 
cient for use in quantum cryptography. 
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wavelength photons are less energetic. The real reasons 
for the lack of commercial products are, first, that sili- 
con, the most common semiconductor material, is not 
sensitive enough (the band gap is too large), aad second 
that the market for photon countiag is not yet mature. 
But, without great risk, one can predict that good com- 
mercial photon counters will become available in the 
near future and that they will have a major impact on 
quantum cryptography. 



D. Quantum random-number generators 

The key used in the one-time pad must be secret and 
used only once. Consequently it must be as long as the 
message, and it must be perfectly random. The latter 
point proves to be a delicate and interesting one. Com- 
puters are deterministic systems that cannot create truly 
random numbers. However, all secure cryptosystems, 
both classical and quantum ones, require truly random 
numbers,^ Hence the random numbers must be created 
by a random physical process. Moreover, to make sure 
that the process does not merely appear random while 
having some hidden deterministic pattern, the process 
needs to be completely understood. It is thus of interest 
to implement a simple process in order to gain confi- 
dence in the randomness of its proper operation. 

A natural solution is to rely on the random choice of a 
single photon at a beamsplitter^ (Rarity et al, 1994). In 
this case the randomness is in principle guaranteed by 
the laws of quantum mechanics, though one still has to 
be very careful not to introduce any experimental arti- 
fact that could correlate adjacent bits. Different experi- 
mental realizations have been demonstrated (Jenne- 
wein, Achleitner, etal, 2000; Stefanov etal, 2000; 
Hildebrand, 2001), and prototypes are commercially 
available (www.gap-optique.unige.ch). One particular 
problem is the dead time of the detectors, which may 
introduce a strong anticorrelation between neighboriag 
bits. Similarly, afterpulses may provoke a correlation. 
These detector-related effects increase with higher pulse 
rates, limiting the bit rate of a quantum number genera- 
tor to a few megahertz. 

In the BB84 protocol Alice has to choose randomly 
among four different states and Bob between two bases. 
The limited random-number generation rate may force 
Alice to produce her numbers in advance and store 
them, creating a security risk. On Bob's side the random- 
bit creation rate can be lower, since, in principle, the 
basis need be changed only after a photon has been de- 
tected, which normally happens at rates below 1 MHz. 
However, one must make sure that this does not give a 
spy an opportunity for a Trojan horse attack (see Sec. 
VI.K). 



^"^The PIN number that the bank assigns to your ATM card 
must be random. If not, someone else knows it. 

^Strictly speaking, the choice is made only once the photons 
are detected at one of the outports. 
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An elegant configuration integrating the random- 
number generator into the QC system consists in using a 
passive choice of bases, as discussed in Sec. V (MuUer 
et al., 1993). However, the problem of detector-induced 
correlation remains. 



E. Quantum repeaters 

Today's fiber-based QC systems are limited to opera- 
tion over tens of kilometers due to the combination of 
fiber losses and detector noise. ITie losses by theniselves 
only reduce the bit rate (exponentially with distance). 
With perfect detectors the distance would not be limited 
However, because of the dark counts, each time a pho- 
ton is lost there is a chance that a dark count produces 
an error. Hence, when the probability of a dark count 
becomes comparable to the probability that a photon is 
correctly detected, the signal-to-noise ratio tends to 0 
[more precisely, the mutual information I{a,p) tends to 
a lower bound^']. In this section we briefly explain how 
the use of entangled photons and of entanglement swap- 
ping (Zukowski etal, 1993) could offer ways to extend 
the achievable distances in the foreseeable future (some 
prior knowledge of entanglement swapping is assumed). 
Let tiink denote the transmission coefficient (i.e., the 
probability that a photon sent by Alice gets to one of 
Bob's detectors), 77 the detector efficiency, and Pdark the 
dark-count probabihty per time bin. With a perfect 
single-photon source, the probability P^aw of a correct 
qubit detection is Praw^UinkV^ while the probability 
Pdtt of an error is Pdet^i^-tunkV) Pdark- Accordingly, 
the QBBR^Pdet/iPraw-^Pdet). and the normalized net 
rate is pnet=(Praw-^Pdet)'fct{QBER), where the func- 
tion /cf denotes the fraction of bits remaining after error 
correction and privacy amplification. For the sake of il- 
lustration, we simply assume a Unear dependence drop- 
ping to zero for QBER5=15% (this simplification does 
not affect the qualitative results of this section; for a 
more precise calculation,, see Liitkenhaus 2000): 
/cr(QBER)=l-QBER/15%. The corresponding net 
rate p„e, is displayed in Fig. 10. Note that it drops to zero 
near 90 km. 

Let us now assume that instead of a perfect single- 
photon source, Alice and Bob use a perfect two-photon 
source set in the middle of their quantimi channel. Each 
photon then has a probability V^/injt of reaching a detec- 
tor. The probability of a correct joined detection is thus 
Praw-hinkV ^i wh ile an error occu rs wit h pro babihty 

Pdet = {^--lUi^knfplark + '^^UiTkVi^ - ^^kV)p dark 

(both photons lost, and two dark counts, or one photon 
lost and one dark count). This can be conveniently re- 
written • as Praw'^tiinkrf and Prfe/ = [0^>(1 

^hinkV)PdarkT~'Uink V^y valid for any division of the 



absolute lower bound is 0, but depending, on the as- - 
sumed eavesdropping strategy, Eve could, take advantage of 
the losses. In the. latter case, the lower bound is given by her 
mutual information /(a, e). 
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FIG. 10. Nonnalized net key creation rate p„gf as a function of 
distance in optical fibers. For Alice uses a perfect single- 
photon source. For n> 1, the link is divided into n equal-length 
sections, and n/2 two-photon sources are distributed between 
Alice and Bob. Parameters: detection efficiency 77=10%, 
dark-count probability P(iar*=10'^» and fiber attenuation a 
=0.25 dB/km. 

link into n equal-length sections and n detectors. Note 
that the measurements performed at the nodes between 
Alice and Bob transmit (swap) the entanglement to the 
twin photons without revealing any information about 
the qubit (these measurements are called BeU measure- 
ments and are at the core of entanglement swapping and 
of quantum teleportation). The corresponding net rates 
are displayed in Fig. 10. Clearly, the rates for short dis- 
tances are smaller when several detectors are used, be- 
cause of their limited efficiencies (heie we assume 77 
= 10% ), but the distance before the net rate drops to 
zero is extended to longer distances! Intuitively, this can 
be understood as follows. Let us assume that a logical 
qubit propagates from Alice to Bob (although some 
photons propagate in the opposite direction). Then, 
each two-photon source and each Bell measurement acts 
on this logical qubit as a kind of quantum nondemolition 
measurement, testing whether the logical qubit is still 
there. In this way, Bob activates his detectors only when 
there is a large chance f J/";^ that the photon gets to his 
detectors. 

Note that if in addition to detector noise there is noise 
due to decoherence, then the above idea can be ex- 
tended, using entanglement purification. This is essen- 
tially the idea behind quantum repeaters (Briegel et al, 
1998; Dur cmL; 1999). 

IV. EXPERIMENTAL QUANTUM CRYPTOGRAPHY WITH 
FAINT LASER PULSES 

. E:fqperimental quantum key distribution was demon- 
strated, for the first time in 1989 (the results were pub- 
lished only in 1992 by Bennett, Bessette, ef a/.). Since 
then, tremendous progress has been made. Today, sev- 
eral groups have shown that quantum key distribution is 
possible, even outside the laboratory. In principle, any 
two-level quantum system could be used to implement 
QC. In practice, all implementations have relied on pho- 
tons. The reason is that their interaction with the envi- 
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ronment, also called decoherence, can be controlled and 
moderated. In addition, researchers can benefit from all 
the tools developed in the past two decades for optical 
telecommunications. It is unlikely that other carriers will 
be employed in the foreseeable future. 

Comparing different QC setups is a difficult task, 
since several criteria must be taken into account. What 
matters in the end, of course, is the rate of corrected 
secret bits (the distilled bit rate R^i^t) that can be trans- 
mitted and the transmission distance. One cari akeady 
note that with present and near-future technology it will 
probably not be possible to achieve rates of the order of 
gigahertz, which are now common with conventional op- 
tical communication systems (in their comprehensive 
paper published in 2000, Gilbert and Hamrick discuss 
practical methods for achieving high-bit-rate QC). This 
implies that encryption with a key exchanged through 
QC will be limited to highly confidential information. 
While the determination of the transmission distance 
and rate of detection (the raw bit rate Rfaw)^ straight- 
forward, estimating the net rate is rather difficult. Al- 
though, in principle, errors in the bit sequence follow 
only from tampering by a malevolent eavesdropper, the 
situation is rather different in reality. Discrepancies be- 
tween the keys of Alice and Bob also happen because of 
experimental imperfections. The error rate QBER can 
be easily determined. Similarly, die error correction pro- 
cedure is rather simple. Error correction leads to a re- 
duction of the key rate that depends strongly on the 
QBER. The real problem is to estimate the information 
obtained by Eve, a quantity necessary for privacy ampli- 
fication. This depends not only on the QBER, but ilso 
on other factors, such as the photon number statistics of 
the source or the way the choice of the measurement 
basis is made. Moreover in a pragmatic approach, one 
might also accept restrictions on Eve's technology, limit- 
ing her strategies and therefore also the information she 
can obtain per error she introduces. Since the efficiency 
of privacy amplification rapidly decreases when the 
QBER increases, the distilled bit rate depends dramati- 
cally on Eve's information and hence on the assumptions 
made. One can define as the maximum transmission dis- 
tance the distance at which the distilled rate reaches 
zero. This distance can give one an idea of the difficulty 
of evaluating a QC system from a physical point of view. 

Technological aspects must also be taken into account. 
In this article we do not focus on all the published per- 
formances (in particular not on the key rates), which 
strongly depend on current technology and the financial 
resources of the research teams who carried out the ex- 
periments. Rather, we try to weigh the intrinsic techno- 
logical difficulties associated with each setup and to an- 
ticipate certain technological advances. Last but not 
least, the cost of realizing a prototype should also be 
considered. 

In this section, we first deduce a general formula for 
the QBER and consider its impact on the distilled rate. 
We then review faint-pulse implementations. We class 
them according to the property used to encode the qu- 
bits value and follow a rough chronological order. Fi- 
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nally, we assess the possibiUty of adopting the various 
setups for the reahzation of an industrial prototype. Sys- 
tems based on entangled photon pairs are presented in 
the next section. 



A. Quantum bit enor rate 

The QBER is defined as the ratio of wrong bits to the 
total number of bits received^ and is normally on the 
order of a few percent. We can express it as a function of 
rates, 



QBER=- 



wrong 



error ^ *^ error (26) 
^righ&^ wrong ^sift'^ ^ error ^sift 

Here the sifted key corresponds to the cases in which 
AUce and Bob made compatible choices of bases, hence 
its rate is half that of the raw key. 

The raw rate is essentially the product of the pulse 
rate f^ep , the mean number of photons per pulse jx, the 
probability tunk of a photons arriving at the analyzer, 
and the probabihty 77 of the photon's being detected: 



_1 _i 



(27) 



The factor ^ (^^1, typically 1 or 5) must be introduced 
for some phase-coding setups in order to correct for 
noninterfering path combinations (see, for example, 
Sees. IV.C and V.B). 

One can identify three different contributions to 
R error - ^h^ ^^st arises from photons that end up in the 
wrong detector due to imperfect interference or polar- 
ization contrast. The rate R^pi is given by the product of 
the sifted-key rate and the probabihty popfOta. photon's 
going to the wrong detector: 



^opt-RsiftPopt''2^frepf^hinkPoptV- 



1 



(28) 



For a given setup, this contribution can be considered as 
an intrinsic error rate indicating its suitability for use in 
QC We shall discuss it below in the case of each par- 
ticular system. 

The second contribution, Rdetf arises from the detec- 
tor dark counts (or from remaining environmental stray 
light in free-space setups). This rate is independent of 
the bit rate.^^ Of course, only dark counts falling within 
the short tune window when a photon is expected give 
rise to errors, 



_1 1 

^def^2 2^repPdarkf^^ 



(29) 



where Pdark ^ probabihty of registering a dark count 
per time window and per detector, and n is the number 



■'^In the following section we consider systems implementing 
the BB84 protocol. For other protocols, some of the formulas 
have to be slightly adapted. 

^^This is U-ue provided that afterpulses (see Sec. III.C) do not 
contribute to the dark counts. 



of detectors. The two factors of { are related to the fact 
that a dark count has a 50% chance of happening when 
Alice and Bob have chosen incompatible bases (and is 
thus eliminated during sifting) and a 50% chance of oc- . 
curring in the correct detector. 

Finally, error counts can arise from uncorrelated pho- 
tons due to imperfect photon, sources: 



(30) 



This factor appears only in systems based on entangled 
photons, where the photons belonging to different pairs 
but arriving in the same time window are not necessarily 
in the same state. The quantity p^^^c ^ the probabihty of 
finding a second pair within tJie time window, knowing 
that a first one was created.^^ 
The QBER can now be expressed as follows: 



QBER= 



Rppt'^Rdtt'^ Rg 
Pdark^ 



(31) 



= QBER^p,-h QBERder+ QBER^,, 



(32) 

(33) 

We now analyze these three contributions. The first one, 
QBERopt , is independent of the transmission distance 
(it is independent of f/^nJt)* considered as a 

measure of the optical quality of the setup, depending 
only on the polarization or interference fringe contrast. 
The technical effort needed to obtain and, more impor- 
tantly, to maintain a given QBERj,^^ is an important cri- 
terion for evaluating different QC setups. In 
polarization-based systems, it is rather simple to achieve 
a polarization contrast of 100:1, corresponding to a 
QBERop, of 1%. In fiber-based QC, the problem is to 
maintain this value in spite of polarization fluctuations 
and depolarization in the fiber link. For phase-coding 
setups, QBER^p, and the interference visibility are re- 
lated by 



1-V 

QBER^p,=— . 



(34) 



A visibihty of 98% thus translates into an optical error 
rate of 1%. Such a value impUes the use of well-ahgned 
and stable interferometers. In bulk optics, perfect mode 
overlap is difficult to achieve, but the polarization is 
stable. In single-mode fiber interferometers, on in con- 
trast, perfect mode overlap is automatically achieved, 
but the polarization must be controlled, and chromatic 
dispersion can constitute a problem. 

The second contribution, QBER^^g, , increases with 
distance, since the dark-count rate remains constant 
while the bit tate goes down like f //„jt . It depends en- 



■ ■'^Note that a passive choice of measurement basis implies 
that four detectors (or two detectors during two time windows) 
are activated for every pulse, thus leading to a doubling GiRaet 
and Race • 
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FIG. 11. Bit rate, after error correction and privacy amplifica- 
tion, vs fiber length. The chosen parameters are as follows: 
pulse rates of 10 MHz for faint laser pulses (/t=0.1) and 1 
MHz for the case of ideal single photons (1550-nm "single"); 
losses of 2, 035, and 0.25 dB/km; detector efficiencies of 50, 20, 
and 10; dark-count probabilities of 10"'', and 10*"^ and 10'^ 
for 800, 1300, and 1550 nm, respectively. Losses at Bob^ end 
and QBER^p^ are neglected. 

tirely on the ratio of the dark-count rate to the quantum 
efficiency. At present, good single-photon detectors are 
not commerdaliy available for telecommunications 
wavelengths. The span of QC is not limited by decoher- 
ence. As QBERop^ is essentially independent of the fiber 
length, it is detector noise that limits the transmission 
distance. 

Finally, the QBERacc contribution is present only in 
some two-photon schemes in which multiphoton pulses 
are processed in such a way that they do not necessarily 
encode the same bit value (see, for example, Sees. V.B.1 
and V.B.2). Although all systems have some probability 
of multiphoton pulses, in most these contribute only to 
the information available to Eve (see Sec. VI.H) and not 
to the QBER. However, for implementations featuring 
passive choice by each photon, the multiphoton pulses 
do not contribute to Eve's information but only to the 
error rate (see Sec. VI. J). 

Now, let us calculate the useful bit rate as a function 
of the distance. Rsi/t and QBER are given as a function 
of f/,„it in Eqs, (27) and (32), respectively. The fiber link 
transmission decreases exponentially with length. The 
fraction of bits lost due to error correction and privacy 
amplification is a function of QBER and depends on 
Eve's strategy. The number of remaining bits Rn^i is 
given by the sifted-key rate multiplied by the difference 
between the Alice-Bob mutual Shannon information 
I(a,P) and Eve's maximal Shannon information 

Rnet=RsiftU{a.0)-l'''\a,€)l (35) 

The difference between and I^^^{a,€) is calcu-. 

lated here according to Eqs. (63) and (65) (Sec. VI.E), 
considering only individual attacks and no multiphoton 
piilses. We cjibtain i?„e, (the useful bit rate after error 
correction and privacy amplification) for different wave- 
lengths as shown in Fig. 11. There is first an exponential 
decrease, then, due to error correction and privacy am- 
plification, the bit rates fall rapidly down to zero. This is 
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FIG. 12. Typical system for quantum cryptography using po- 
larization coding: LO, laser diode; BS, beamsplitter; F, neutral 
density filter; PBS, polarizing beamsplitter; half wave- 
plate; APD, avalanche photodiode. 

most evident when comparing the curves 1550 and 1550 
nm "single," since the latter features a QBER that is 10 
times lower. One can see that the maximum range is 
about 100 km In practice it is closer to 50 km, due to 
nonideal error correction and privacy amplification, 
multiphoton pulses, and other optical losses not consid- 
ered here. Finally, let us mention that typical key cre- 
ation rates on the order of a thousand bits per second 
over distances of a few tens of kilometers have been 
demonstrated experimentally (see, for example, 
Townsend, 1998b or Ribordy et al, 2000). 

B. Polarization coding 

Encoding the qubits in the polarization of photons is a 
natural solution. The first demonstration of QC by Ben- 
nett and co-workers (Bennett, Bessette, etal, 1992) 
made use of this choice. They realized a system in which 
Alice and Bob exchanged faint light pulses produced by 
a light-emitting diode and containing less than one pho- 
ton on average over a distance of 30 cm in air. In spite of 
the small scale of this experiment, it had an important 
impact on the community, as it showed that it was not 
unreasonable to use single photons instead of classical 
pulses for encoding bits. 

A typical QC system with the BB84 four-state proto- 
col using the polarization of photons is shown in Fig. 12. 
Alice's system consists of four laser diodes. They emit 
short classical photon pulses (*«1 ns) polarized at -45°, 
0°, +45*^, and 90°. For a given qubit, a single diode is 
triggered. The pulses are then attenuated by a set of 
filters to reduce the average number of photons to well 
below 1, and sent along the quantum channel to Alice. 

It is essential that the pulses remain polarized for Bob 
to be able to extract the information encoded by Alice. 
As discussed in Sec. ni,B-2, polarization mode disper- 
sion ihay depolarize the. photons, provided the delay it 
introduces between polarization modes is longer than 
the coherence time. This sets a constraint on the type of 
lasers used by Alice. 

Upon reaching Bob, the pulses are extracted from the 
fiber. They travel through a set of waveplates used to 
recover the initial polarization states by compensating 
for the transformation. indiiced by the optical fiber (Sec. 
in.B.2). The pulses then reach a synunetric beamsplit- 
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ter, implementing the basis choice. Transmitted photons 
are analyzed in the vertical-horizontal basis with a po- 
larizing beamspUtter and two photon-counting detec- 
tors. The polarization state of the reflected photons 13 
first rotated with a waveplate by 45° (-45**->0**). The 
photons are then analyzed with a second set of polariz- 
ing beamsplitters and photon-counting detectors. This 
implements the diagonal basis. For illustration, let us 
follow a photon polarized at +45**. We see that its state 
of polarization is arbitrarily transformed in the optical 
fiber. At Bob*s end, the polarization controller must be 
set to bring it back to +45**. K it chooses the output of 
the beamsplitter corresponding to the vertical-horizontal 
basis, it will experience an equal probability of reflection 
or transmission at the polarizing beamspHttter, yielding a 
random outcome. On the. other hand, if it chooses the 
diagonal basis, its state will be rotated to 90"". The po- 
larizing beamsplitter will then reflect it with unit prob- 
ability, yielding a deterministic outcome. 

Instead of having Alice use four lasers and Bob two 
polarizing beamsplitters, one can also implement this 
system with active polarization modulators such as 
Pockels cells. For emission, the modulator is randomly 
activated for each pulse to rotate the state of polariza- 
tion to one of the four states, while, at the receiver, it 
randomly rotates half of the incoming pulses by 45°. It is 
also possible to realize the whole system with fiber op- 
tics components. 

Antoine Muller and co-workers at the University of 
Geneva have used such a system to perform QC experi- 
ments over optical fibers (1993; see also Breguet etaL, 
1994). They created a key over a distance of 1100 meters 
wi± photons at 800 nm. In order to increase the trans- 
mission distance, they repeated the experiment with 
photons at 1300 nm (Muller et ai, 1995, 1996) and cre- 
ated a key over a distance of 23 km. An interesting fea- 
ture of this experiment is that the quantum channel con- 
necting Alice and Bob consisted of an optical fiber part 
of an installed cable used by the teleconmiumcations 
company Swisscom for carrying phone conversations. It 
runs between the Swiss cities of Geneva and Nyon, un- 
der Lake Geneva (Fig. 13). This was the first time QC 
was performed outside of a physics laboratory. These 
experiments had a strong impact on the interest of the 
wider public in the new field of quantum communica- 
tion. 

These two experiments highlighted the fact that the 
polarization transformation induced by a long optical fi- 
ber was unstable over time. Indeed, when monitoring 
the QBER of their system, Muller noticed that, although 
it remained stable and low for some time (on the order 
of several minutes), it would suddenly increase after a 
while, indicating a modification of the polarization trans- 
formation in the fiber. This implies that a real fiber- 
based, QC system would tequire actiye alignment to 
comipensate for this evolution. Although not impossible, 
such a procedure is certainly difiicult. James Fransori did 
indeed, implement an active-feedback ahgnment system 
(Franson and Jacobs, 1995), but did not pursue this line 
of research. It is interesting tb note that replacing stan- 
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FIG. 13. Geneva and Lake Geneva. The Swisscom optical fi- 
ber cable used for quantum cryptography experiments runs 
under the lake between the town of Nyon, about 23 km north 
of Geneva, and the center of the dty. 



dard fibers with polarization-maintaining fibers does not 
solve the problem. The reason is that, in spite of their 
name, these fibers do not maintain polarization, as ex- 
plained in Sec. in.B.2, 

Recently, Townsend has also investigated such 
polarization-encoding systems for QC on short-span 
links up to 10 kilometers (1998a, 1998b) with photons at 
800 nm. It is interesting to note that, although he used 
standard teleconmiunications fibers which could support 
more than one spatial mode at this wavelength, he was 
able to ensure single-mode propagation by carefully 
controlling the launching conditions. Because of the 
problem discussed above, polarization coding does not 
seem to be the best choice for QC in optical fibers. Nev- 
ertheless, this problem is drastically reduced when con- 
sidering free-space key exchange, as air has essentially 
no birefringence at all (see Sec. IV.E). 



C. Phase coding 

The idea of encoding the value of qubits in the phase 
of photons was first mentioned by Bennett in the paper 
in which he introduced the two-state protocoL(1992). It 
is indeed a very natural choice for optics specialists. 
State preparation and analysis are then performed with 
interferometers, which can be realized with single-mode 
optical fiber components. 

Figure 14 presents an optical fiber version of a Mach- 
Zehnder interferometer. It is made out of two symmetric 
couplers — the equivalent of beamsplitters — connected 
to each other, with one phase modulator in each arm. 
One can inject light into the setup, using a continuous 
and classical squrce, and moriitor the intensity at tbe 
output ports. Provided that the coherence length of the 
light used is larger than tht path mismatch in the inter- 
ferometers, interference fringes can be recorded. Taking 
into account the tt/Z phase shift experienced upon re- 
flection at a beamsplitter, the effect of the phase modu- 
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TABLE I. Implementatioii of the BB84 four-state protocol 
with phase encoding. 



FIG. 14. Conceptual interferometric setup for quantum cryp> 
tography using an optical fiber Mach-Zehnder interferometer: 
LD, laser diode; PM, phase modulator; APD, avalanche pho- 
todiode. 

lators (^^ and 0^), and the path-length difference 
(AL), the intensity in the output port labeled "0" is 
given by 

t -I— -■ ' 



/o=7- cos^ 



(36) 



where ^: is the wave number and 7 the intensity of the 
source. If the phase term is equal to vH-^mr; where n is 
an integer, destructive interference is obtained. There- 
fore the intensity registered in port 0 reaches a mini- 
rnum, and all the Ught exits from port 1. When the phase 
term is equal to /itt, the situation is reversed: construc- 
tive interference is obtained in port 0, while the intensity 
in port 1 goes to a minimum. With intermediate phase 
settings, hght can be recorded in both ports. This device 
acts like an optical switch. It is essential to keep the path 
difference stable in order to record stationary interfer- 
ences. 

Although we have discussed the behavior of this inter- 
ferometer for classical Hght, it works exacdy the same 
when a single photon is injected. The probability of de- 
tecting the photon in one output port can be varied by 
changing the phase. It is the fiber optic version of 
Young's double-sUt experiment, in which the arms of the 
interferometer replace the apertures. 

This interferometer combined with a smgle-photon 
source and photon-counting detectors can be used for 
QC. Alice's setup consists of the source, the first coupler, 
and the first phase modulator, while Bob takes the sec- 
ond modulator and coupler, as well as the detectors. Let 
us consider the implementation of the four-state BE 84 
protocol. On the one hand, Alice can apply one of four 
phase shifts (0,7r/2,Tr,3'7r/2) to encode a bit value. She 
associates 0 and ir/i with bit 0, and tt and S^rrfl with bit 
1. On the other hand, Bob performs a basis choice by 
randomly applying a phase shift of either 0 or TrtZ. He 
associates the detector connected to the output port 0 
with a bit value of 0, and the detector connected to port 
1 with bit 1. When the difference of their phase is equal 
to 0 or TT, Alice and Bob are using compatible bases and 
they obtain deterministic results. In such cases, Alice 
can infer from the phase shift she applied the, output 
port chosen by the photon at Bob's end and hence the 
bit value he registered. Bob, on his side, deduces from 
the output port chosen by the photon the phase that 
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Alice selected. When the phase difference equals irll or 
3ir/2, the bases are incompatible and the photon ran- 
domly chooses which port it takes at Bob's coupler. This 
scheme is summarized in Table I. We must stress that it 
is essential with this scheme to keep the path difference 
stable during a key exchange session. It should not 
change by more than a fraction of a wavelength of the 
photons. A drift of the length of one arm would indeed 
change the phase relation between Alice and Bob and 
induce errors in their bit sequence. 

It is interesting to note that encoding qubits with two- 
path interferometers is formally isomorphic to polariza- 
tion encoding. The two arms correspond to a natural 
basis, and the weights Cy of each qubit state ^ 
= (cie"**'^,C2e'^'^) are determined by the coupling ratio 
of the first beamsplitter, while the relative phase <l> is 
introduced in the interferometer. The Poincare sphere 
representation, which appUes to all two-level quantum 
systems, can also be used to represent phase-coding 
states. In this case, the azimuth angle represents the 
relative phase between the hght that has propagated 
along the two arms. The elevation corresponds to the 
couplmg ratio of the first beamsplitter. States produced 
by a switch are on the poles, while those resulting from 
the use of a 50/50 beamsplitter lie on the equator. Figure 
15 illustrates this analogy. Consequently, all polarization 
schemes can also be implemented using phase coding. 




FIG, 15. Poincare sphere representation of two-level quantum 
states generated by two-path interferometers. The poles corre- 
spond to the states generated by an interferometer in which 
the first coupler is replaced by a switch. The states generated 
. with a symmetrical beamsplitter are on the equator. The azi- 
muth indicates the phase between the two paths. 
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FIG. 16. Double Mach-Z«hnder implementation of an inter- 
ferometric system for quantum cryptography: LD, laser diode; 
PM, phase modulator; APD, avalanche photodiode. The inset 
represents the temporal count distribution recorded as a func- 
tion of the time passed since the emission of the pulse by Al- 
ice. Interference is observed in the central peak. 

Similarly, every coding using two-path interferometers 
can be realized using polarization. However, in practice 
one choice is often more convenient than the other, de- 
pending on circumstances Uke the nature of the quan- 
tum channel^ 

1 . The double Mach-Zehnder implementation 

Although the scheme presented in the previous sec- 
tion works perfectly well on an optical table, it is impos- 
sible to keep the path difference stable when Alice and 
Bob are separated by more than a few meters. As men- 
tioned above, the relative length of the arms should not 
change by more than a fraction of a wavelength. If Alice 
and Bob are separated by 1 kilometer, for example, it is 
clearly impossible to prevent path difference changes 
smaller than 1 fim caused by environmental variations. 
In his 1992 letter, Bennett also showed how to circum- 
vent this problem. He suggested using two unbalanced 
Mach-2^hnder interferometers, one for Alice and one 
for Bob, connected in series by a single optical fiber (see 
Fig. 16). When monitoring counts as a function of the 
time since the emission of the photons, Bob obtains 
three peaks (see the inset in Fig, 16). The first one cor- 
responds to the photons that chose the short path in 
both Alice's and Bob's interferometers, while the last 
one corresponds to photons that chose both the long 
paths. Finally, the central peak corresponds to photons 
that chose the short path in Alice's interferometer and 
the long one in Bob's, and vice versa. K these two pro- 
cesses are indistinguishable, they produce interference. 
A timing window can be used to discriminate between 
interfering and noninterfering events. If the latter are 
disregarded, it is then possible for Alice and Bob to ex- 
change a key. 

The advantage of this setup is that both "halves'* of 
the photon travel in the same optical fiber. They thus 
experience the same; optical length in the envirbnmen- 



- ^?Note;- in addition, that using inanyrpath interferometers 
opens up the possibility of coding quahtuni systems of dimen- 
sions larger, than 2, like qutfits, ququarts, etc. (Bechmannr 
Pasquinucci and Peres, .2000; Bechmann-Pasquinucci and Tit- 
tel, 2000; Bourennane, Karlsson, and Bjom, 2601). 
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tally sensitive part of the system, provided that the 
variations in the fiber are slower than their temporal 
separations, determined by the interferometer's imbal- 
ance (^-Sns). This condition is much less difficult to 
fulfill. In order to obtain good fringe visibility, and hence 
a low error rate, the imbalances of the interferometeis 
must be equal to within a fraction of the coherence time 
of the photons. This implies that the path differences 
must be matched to within a few millimeters, which does 
not constitute a problem. The imbalance must be chosen 
so that it is possible to distinguish the three temporal 
peaks clearly and thus discriminate interfering from 
noninterfering events. It must typically be larger than 
the pulse length and the timing jitter of the photon- 
counting detectors. In practice, the second condition is 
the more stringent one. Assuming a time jitter of the 
order of 500 ps, an imbalance of at least 1.5 ns keeps 
the overlap between the peaks low. 

The main difficulty associated with this QC scheme is 
that the imbalances of Alice's and Bob's mterferometezs 
must be kept stable to within a fraction of the wave- 
length of the photons during a key exchange to maintain 
correct phase relations. This implies that the interferom- 
eters must he in containers whose temperature is stabi- 
lized. In addition, for long key exchanges an active sys- 
tem is necessary to compensate for drift.^ Finally, in 
order to ensure the indistinguishabihty of both interfer- 
ing processes, one must make sure that in each interfer- 
ometer the polarization transformation induced by the 
short path is the same as that induced by the long path. 
Both Alice and Bob must then use a polarization con- 
troller to fulfill this condition. However, the polarization 
transformation is rather stable in short optical fibers 
whose temperature is kept stable and which do not ex- 
perience strains. Thus this adjustment does not need to 
be repeated frequently. 

Paul Tapster and John Rarity of DERA, the Defence 
Evalution and Research Agency (Malvern, England), 
working with Paul Townsend, were the first to test this 
system over a fiber optic spool of 10 km (Townsend 
et al, 1993a, 1993b). Townsend later improved the inter- 
ferometer by replacing Bob's input coupler with a polar- 
ization splitter to suppress the lateral noninterfering 
peaks (1994). In this case, it is again unfortunately nec- 
essary to align the polarization state of the photons at 
Bob's end, in addition to stabilizing the imbalance in the 
interferometers. He later thoroughly investigated key 
exchange with phase coding and improved the transmis- 
sion distance (Marand and Townsend, 1995; Townsend, 
1998b). He also tested the possibility of multiplexing a 



^Polarization coding requires the optimization of three pa- 
rameters (three parameters are necessary for unitary polariza- 
tion control). In comparison, phase coding requires optimiza- 
tion' of only . one parameter. This, is possible because the 
coupling ratios of the beamsplitters are fixed. Both solutions 
would be equivalent if >one could limit the polarization evolu- 
tion to rotations of the elliptic states .without changes in the 
ellipticity. 



80 



Qisin et al.\ Quantum cryptography 



171 



quantum channel using two different wavelengths with 
conventional data transmission over a single optical fiber 
(Townsend, 1997a). Richard Hughes and co-workers 
from Los Alamos National Laboratory have also exten- 
sively tested such an interferometer (1996; Hughes, Mor- 
gan, and Peterson, 2000) up to distances of 48 km of 
installed optical fiber.^^ 

2. ''Plug-evid-play" systems 

As discussed in die two previous sections, both polar- 
ization and phase coding require active compensation of 
optical path fluctuations. A simple approach would be to 
alternate between adjustment periods — ^when ptdses 
containing large numbers of photons are exchanged be- 
tween Alice and Bob to adjust the compensating system 
correcting for slow drifts in phase or polarization — ^and 
qubits transmission periods, when the number of pho- 
tons is reduced to a quantum level. 

An approach invented in 1989 by Martinelli, then at 
CISE Tecnoiogie Innovative in Milano, allows one to 
automatically and passively compensate for all polariza- 
tion fluctuations in an optical fiber (see also Martinelli, 
1992). Let us first consider what happens to the polar- 
ization state of a Ught pulse traveling through an optical 
fiber, before being reflected by a Faraday mirror — a mir- 
ror with a \/4 Faraday rotator^ in front. We must first 
define a convenient description of the change in polar- 
ization of light reflected by a mirror at normal incidence. 
Let the mirror be in the x-y plane and z be the optical 
axis. Clearly, all linear polarization states are unchanged 
by a reflection. However, right-handed circular polariza- 
tion is changed into left-handed and vice versa. Actually, 
after a reflection the rotation continues in the same 
sense, but since the propagation direction is reversed, 
right-handed and left-handed polarizations are swapped. 
The same holds for elliptic polarization states: the axes 
of the ellipse are unchanged, but right and left are ex- 
changed. Accordingly, on a Poincare sphere the polar- 
ization transformation upon reflection is described by a 



^^Note that m this experiment, Hughes and co-workers used 
an unusually high mean number of photons per pulse. They 
used a mean photon number of approximately 0.6 in the cen- 
tral interference peak, corresponding to a /x« 1.2 in the pulses 
leaving Alice. The latter value is the relevant one for eaves- 
dropping analysis, since Eve could use an interferometer- 
conceivable with present technology — in which the first cou- 
pler was replaced by an optical switch and that allowed her to 
exploit all the photons sent by Alice. In light of this high /a and 
optical losses (22.8 dB), one may argue that this implementa- 
tion was not secure, even when taking into account only so- 
called realistic eavesdropping strategies (see Sec, VI. I). Finally, 
it is possible to estimate the results that other groups would 
have obtained if they had used a similar value of fi. One then 
finds that key distribution distances of the same order could, 
have been achieved. This illustrates that the distance is a some- 
what arbitrary figure of merit for a QC isystem. 

■'^hese commercially available components are extremely 
coinpact and convenient when . using telecommunications 
wavelengths, which is not true for other wavelengths. 
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FIG. 17. Evolution of the polarization state of a Ught pulse 
represented on the Poincare sphere over a round-trip propa- 
gation along an optical fiber terminated by a Faraday mirror. 



synunetry through the equatorial plane: the north and 
south hemispheres are exchanged [m— >(mi,m2, 
~ W3)], or in terms of the qubit state vector, 



^1 



(37) 



• This is a simple representation, but some attention has 
to be paid. This transformation is not unitary. Indeed, 
the above description switches from a right-handed ref- 
erence frame XYZ to a left-handed one XYZ, where 
-Z. There is nothing wrong in doing this, and this 
explains the nonunitary polarization transformation.^^ 
Note that other descriptions are possible, but they re- 
quire artificially breaking the XY symmetry. The main 
reason for choosing this particular transformation is that 
the description of the polarization evolution in the opti- 
cal fiber before and after the reflection is then straight- 
forward. Indeed, let u^e'^'^^^^^ describe this evolu- 
tion under the effect of some modal birefringence B in a 
fiber section of length / (where a is the vector whose 
components are the PauU matrices). Then the evolution 
after reflection is simply described by the inverse opera- 
tor V'^^e^^^^^^, Now tiiat we have a description of 
the mirror, let us add the Faraday rotator. It produces a 
ir/2 rotation of the Poincare sphere around the north- 
south axis: F=e~^'^°'i^^ (see Fig. 17). Because the Fara- 
day effect is nonreciprocal (remember that it is due to a 
magnetic field, which can be thought of as produced by a 
spiraling electric current), the direction of rotation 
around the north-south axis is independent of the light 
propagation direction. Accordingly, after reflection on 
the mirror, the second passage through the Faraday ro- 
tator rotates the polarization in the same direction (see 
again Fig. 17) and is described by the same operator F. 
Consequently, the total effect of a Fauraday. mirror is to 



^^Note that this transformation is positive, but not completely 
positive. It is thus closely connected to the partial transposition 
map (Peres, 1996). If several photons are entangled, then it is 
crucial to describe all of them in frames with the same chirality 
Actually that this is necessary is the content of the Peres- 
Horodecki entanglement witness (Horodecki er aL, 1996). 
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change any inconaing polarization state into its orthogo- 
nal state: m-^-m. ITiis is best seen in Fig. 17 but can 
also be expressed mathematically: 



FTF: 



(38) 



Finally, the whole optical fiber can be modeled as con- 
sistmg of a discrete number of bireMngent elements. If 
there are N such elements in front of the Faraday mir- 
ror, the change in polarization during a round trip can be 
expressed (recall that the operator FTF only changes 
the sign of the corresponding Bloch vector m=(^|^| ^)) 
as 

[/r^ - • VJf'^FTFUN • • • t/i = FTF, (39) 

The output polarization state is thus orthogonal to the 
input one, regardless of any birefringence in the fibers. 
This approach can thus correct for time- varying birefrin- 
gence changes, provided that they are slow compared to 
the time required for the light to make a round trip (a 
few hundred microseconds). 

By combining this approach with time multiplexing in 
a long-path interferometer, it is possible to implement a 
quantum cryptography system based on phase coding in 
which all optical and mechanical fluctuations are auto- 
matically and passively compensated for (Muller etal, 
1997). We performed the first experiment on such a sys- 
tem in early 1997 (Zbinden et aL, 1997), and a key was 
exchanged over a 23-km installed optical fiber cable (the 
same one as was used in the polarization coding experi- 
ments mentioned above). This setup featured a high in- 
terference contrast (fringe visibility of 99.8%) and excel- 
lent long-term stability and clearly established the value 
of the approach for QC. The fact that no optical adjust- 
ments were necessary earned it the nickname of "plug- 
and-play" setup. It is interesting to note that the idea of 
combining time multiplexing with Faraday mirrors was 
first used to implement an "optical microphone" 
(Breguet and Gisin, 1995).^^ 

However, our first realization still suffered from cer- 
tain optical inefficiencies, and it has been improved since 
then. Like the setup tested in 1997, the new system is 
based on time multiplexing, in which the interfering 
pulses travel along the same optical path, but now, in 
different time ordering. A schematic is shown in Fig. 18. 
Briefly, the general idea is that pulses emitted at Bob's 
end can travel along one of two paths: they can go via 
the short arm, be reflected at the Faraday mirror (FM) 
at Alice's end, and finally, back at Bob's, setup travel via 
the long arm. Or, they travel first via the long arm at 
Bob's end, get reflected at Alice's end, aiid return via the 
short arm of . Bob's setup. These two possibilities then 
superpose on beamspUtter Ci . We shall now explain the 



^^ote that since then, we have used this interferometer for 
various other applications: a nonlinear index-of-refraction 
measurement in fibers (Vinegoni, Wegmuller, and Gisin, 2000) 
and an optical switch (Vinegoni, Wegmuller, Hiittnier, and Gi: 
sin, 2000). 
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FIG. 18. Self-aligned plug-and-play system: LD, laser diode; 
APD, avalanche photodiode; Q, fiber coupler; PMy, phase 
modulator; PBS, polarizmg beamsplitter, DL, optical delay 
line; FM, Faraday minor; , classical detector. 

realization of this scheme in greater detail: A short and 
bright laser pulse is injected into the system through a 
circulator. It spUts at a coupler. One of the half pulses, 
labeled Pi , propagates through the short arm of Bob's 
setup directiy to a polarizing beamsplitter. The polariza- 
tion transformation in this arm is set so that it is fiilly 
transmitted. Pj is then sent through the fiber optic Unk. 
The second half pulse, labeled P2 , takes the long arm to 
the polarizing beamsplitter. The polarization evolution is 
such that P2 is reflected. A phase modulator present in 
this long arm is left inactive so that it imparts no phase 
shift to the outgoing pulse. P2 is also sent through the 
link, with a delay on the order of 200 ns. Both half 
pulses travel to Alice. Pi goes through a coupler. The 
diverted light is detected with a classical detector to pro- 
vide a timing signal. This detector is also important in 
preventing so-called Trojan horse attacks, which are dis- 
cussed in Sec, VI.K. The nondiverted hght then propa- 
gates through an attenuator and an optical delay hne — 
consisting simply of an optical fiber spool — ^whose role 
will be explained later. Finally, it passes a phase modu- 
lator before being reflected by the Faraday mirror. P2 
follows the same path. Ahce briefly activates her modu- 
lator to apply a phase shift on Pi only, in order to en- 
code a. bit value exactiy as in the traditional phase- 
coding scheme. The attenuator is set so that when the 
pulses leave Alice, they contain no more than a fraction 
of a photon. When they reach the polarizing beamsplit- 
ter after their return trip through the Unk, the polariza- 
tion state of the pulses is exactly orthogonal to what it 
was when they left, thanks to the effect of the Faraday 
mirror. Pi is then reflected instead of being transmitted. 
It takes the long arm to the coupler. When it passes, Bob 
activates his modulator to apply a phase shift used to 
implement his basis choice. Simflarly, P2 is transmitted 
and takes the short arm. Both pulses reach the coupler 
at the same time and they interfere. Single-photon de- 
tectors are then used to record the output port chosen 
by the photon. 

We implemented the four full-state BB84 protocol 
with this setup. The system was tested once again on the 
same installed optical fiber cable linking Geneva and 
Nyon (23 km; see Fig. 13) at 1300 nm, and we observed 
a very low QBERppf^i;4% (Ribordy a/., 1998, 2000). 
Proprietary electronics and software were developed to 
allow for fully automated and user-friendly operation of 
the system, Because of the intrinsically bidirectional na- 
ture of this system, great attention had to be paid to 
Rayleigh backscattenng. Light traveling in an optical fi- 
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ber undergoes scattering by inhomogeneities. A small 
fraction («1 %) of this light is recaptured by the fiber in 
the backward direction. When the repetition rate is high 
enough, pulses traveling to and from Alice must inter- 
sect at some point along the line. Their intensity, how- 
ever, is strongly different. The pulses are more than a 
thousand times brighter before than after reflection 
from Alice. Badcscattered photons can accompany a 
quantum pulse propagating back to Bob and induce 
false counts. We avoided this problem by making sure 
that pulses traveling to and from Bob are not present in 
the line simultaneously. They are emitted by Bob in the 
form of trains. Alice stores these trains in her optical 
delay line, which consists of an optical fiber spool. Bob 
waits until all the pulses of a train have reached him 
before sending the next one. Although it completely 
solves the problem of Raylcigh backscattering-induced 
errois, this configuration has the disadvantage of reduc- 
ing the effective repetition frequency. A storage line half 
as long as the transmission line amounts to a reduction 
of the bit rate by a fector of approximately 3, 

Researchers at IBM simultaneously and indepen- 
dently developed a similar system at 1300 nm (Bethune 
and Risk, 2000). However, they avoided the problems 
associated with Rayleigh backscattering by reducing the 
intensity of the pulses emitted by Bob. Since these could 
not be used for synchronization purposes any longer, 
they added a wavelength-multiplexed classical channel 
(1550 nm) in the line to allow Bob and Alice to synchro- 
nize their systems. They tested their setup on a 10-km 
optical fiber spool. Both of these systems are equivalent 
and exhibit similar performances. In addition, the group 
of Anders Karlsson at the Royal Institute of Technology 
in Stockholm verified in 1999 that this technique also 
works at a wavelength of 1550 nm (Bourennane etaL, 
1999, 2000). These experiments demonstrate the poten- 
tial of plug-and-play-iike systems for real-world quan- 
tum key distribution* They certainly constitute a good 
candidate for the realization of prototypes. 

Their main disadvantage with respect to the other sys- 
tems discussed in this section is that they are more sen- 
sitive to Trojan horse strategies (see Sec. VI.K). Indeed, 
Eve could send a probe beam and recover it through the 
strong reflection by the mirror at the end of Alice's sys- 
tem. To prevent such an attack, Alice adds an attenuator 
to reduce the amount of light propagating through her 
system. In addition, she must monitor the incoming in- 
tensity using a classical Unear detector. Systems based on 
this approach cannot be operated with a true single- 
photon source and thus will not benefit from the 
progress in this field.^^ 

. . D. Frequency coding 

Phase-based systems for QC require phase synchroni- 
zation and stabilization. Because of the high frequency 



^be fact that the pulses make a round trip implies that, 
losses are doubled, yielding a reduced counting rate. 

Rev. Mod. Phys., Vol. 74, No. 1, January 2002 



Quantum 
Channel 




ioddng 



FIG. 19. Implementation of sideband modulation: LD, laser 
diode; A, attenuator; PM/ , optical phase modulator; $y , elec- 
tronic phase controller; RFO^t » radio frequency oscillator; FP, 
Fabry-Perot filter; APD, avalanche photodiode. 

of optical waves (approximately 200 THz at 1550 nm), 
this condition is difficult to fulfill. One solution is to use 
self-aUgned systems like the plug-and-play setups dis- 
cussed in the previous section. Goedgebuer and hiis team 
from the University of Besangon, in France, introduced 
an alternative solution (Sun etaL, 1995; Mazurenko 
etaL, 1997; Merolla etaL, 1999; see also Molotkov, 
1998). Note that the title of this section is not completely 
accurate, since the value of the qubits is coded not in the 
frequency of the light, but in the relative phase between 
sidebands of a central optical frequency. 

Their system is depicted in Fig. 19. A source emits 
short pulses of classical monochromatic light with angu- 
lar frequency cu^, A first phase modulator PM^ modu- 
lates the phase of this beam with a frequency fKoj^ and 
a small modulation depth. Two sidebands are thus gen- 
erated at frequencies (Os±Ct. The phase modulator is 
driven by a radio-frequency oscillator RFO^ whose 
phase <I>^ can be varied. Finally, the beam is attenuated 
so that the sidebands contain much less than one photon 
per pulse, while the central peak remains classical. After 
the transmission link, the beam experiences a second 
phase modulation applied by PM^ . This phase modula- 
tor is driven by a second radio-frequency oscillator 
RFO5 with the same frequency CI and phase ^ b These 
oscillators must be synchronized. After passing through 
this device, the beam contains the original central fre- 
quency 0)5, the sidebands created by Alice, and the 
sidebands created by Bob. The sidebands at frequencies 
a)s±Sl are mutually coherent and thus yield interfer- 
ence. Bob can then record the interference pattern in 
these sidebands after removal of the central frequency 
and the higher-order sidebands with a spectral filter. 

To implement the B92 protocol (see Sec. II.D.l), Al- 
ice randomly chooses the value of the phase for 
each pulse. She associates a bit value of 0 with phase 0 
and a bit value of 1 with phase it. Bob also randomly 
chooses whether to apply a phase 0 5 of 0 or tt. One can 
see that if |O^-<I)5|=0, the interference is constructive 
and Boip's single-photon detector has a nonzero prob- 
ability of recording a count. This probability depends on 
the number of photons initially present in the sidfeband, 
as well as on the losses induced by the channel. On the 
other hand, if I^a^^b] - interference is destructive, 
and no count will ever be recorded. Consequently, Bob 
can infer, every time he records a count, that he applied 
the same phase as Alice. When a . given puke does not 
yield a detection, the reason can be that the phases ap- 
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plied were different and destructive interference took 
place. It can also mean that the phases were actually 
equal, but the pulse was empty or the photon got lost. 
Bob cannot decide between these two possibilities. 
From a conceptual point of view, Alice sends one of two 
. nonorthogonal states. There is then no way for Bob to 
distinguish between them deterministically. However, he 
can perform a generalized measurement, also known as 
a positive operator value measurement, yfbich will some- 
times fail to give an answer, but at all other times gives 
the correct one. 

Eve could perform the same measurement as Bob. 
When she obtains an inconclusive result, she could just 
block both the sideband and the central frequency so 
that she does not have to guess a value and does not risk 
introducing an error. To prevent her from doing that, 
Bob verifies the presence of this central frequency. Now 
if Eve tries to conceal her presence by blocking only the 
sideband, the reference central frequency will still have 
a certain probability of introducing an error. It is thus 
possible to catch Eve in both cases. The monitoring of 
the reference beam is essential in all two-state protocols 
to reveal eavesdropping. In addition, it was shown that 
this reference-beam monitoring can be extended to the 
four-state protocol (Huttner etaL, 1995). 

The advantage of this setup is that the interference is 
controlled by the phase of the radio-frequency osciQa- 
tors. Their frequency is six orders of magnitude smaller 
than the optical frequency and thus considerably easier 
to stabilize and synchronize. It is indeed a relatively 
simple task, which can be achieved by electronic means. 
The Besangon group performed key distribution with 
such a system. The source they used was a distributed 
Bragg reflector (DBR) laser diode at a wavelength of 
1540 nm and a bandwidth of 1 MHz. It was externally 
modulated to obtain 50-ns pulses, thus increasing the 
bandwidth to about 20 MHz. They used two identical 
LiNbOa phase modulators operating at a frequency 
fl/27r=300 MHz. Their spectral filter was a Fabry-Perot 
cavity with a finesse of 55. Its resolution was 36 MHz. 
They performed key distribution over a 20-km single- 
mode optical fiber spool, recording a QBER^pf contri- 
bution of approximately 4%. They estimated that 2% 
could be attributed to the transmission of the central 
frequency by the Fabry-Perot cavity. Note also that the 
detector noise was relatively high due to the long pulse 
durations. Both these errors could be lowered by in- 
creasing the separation between the central peak and 
the sidebands, allowing reduced pulse widths and hence 
shorter detection times and lower dark counts. Never- 
theless, a compromise must be found since, in addition 
to the technical drawbacks of high-speed modulation, 
the polarization transformation in an optical fiber de- 
pends on the wavelength; Tlie remaining 2% of the 
QBERopr is due to polarization effects in the setup. 

This system is another possible candidate. Its main, 
advantage is that it could be used with a triie single- 
photon source if it existed; On the other hand, the con- 
tribution of imperfect interference visibility to the error 
rate is significantly higher than that measured with plug- 
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and-play systems. In addition, if this system is to be truly 
independent of polarization, it is essential to ensure that 
the phase modulators have very low polarization depen- 
dency. In additioDi the stability of the frequency filter 
may constitute a practical difficulty. 



E. Free-space line-of-sight applications 

Since optical fiber channels may not always be avail- 
able, several groups are trying to develop free-space 
Hne-of-sight QC systems capable, for example, of dis- 
tributing a key between building rooftops in an urban 
setting. 

Of course it may sound difficult to detect single pho- 
tons amidst background light, but the first experiments 
have ahready demonstrated the feasibiUty of free-space 
QC Sendmg photons through the atmosphere also has 
advantages, since this medium is essentially nonbirefrin- 
gent (see Sec. 1113.4). It is then possible to use plain 
polarization coding. In addition, one can ensure very 
high channel transmission over long distances by care- 
fully choosing the wavelength of the photons (see again 
Sec. III.B.4). The atmosphere has, for example, a high 
transmission "window" in the vidnity of 770 nm (trans- 
mission as high as 80% can occur between a ground 
station and a satellite), which happens to be compatible 
with conmiercial silicon APD photon-counting modules 
(detection efficiency can be as high as 65% with low 
noise). 

The systems developed for free-space applications are 
actually very similar to that shown in Fig. 12. The main 
difference is that the emitter and receiver are connected 
by telescopes pointing at each other, instead of by an 
optical fiber. The contribution of background light to 
errors can be maintained at a reasonable level by using a 
combination of timing discrimination (coincidence win- 
dows of typically a few nanoseconds), spectral filtering 
(interference filters ^Inm), and spatial filtering (cou- 
pling into an optical fiber). This can be illustrated by the 
following simple calculation. Let us suppose that 
the isotropic spectral background .radiance is 
10^^ Wm^^nm"^ sr"^ at 800 nm. This corresponds to 
the spectral radiance of a clear zenith sky with a sun 
elevation of 77*^ (Zissis and Larocca, 1978). The diver- 
gence ^ of a Gaussian beam with radius Wq is given by 
$=\/wq^. The product of beam (telescope) cross sec- 
tion and solid anjgle, which is a constant, is therefore 
TTWoTT^^X^. By multiplying the radiance by X^, one 
obtains the spectral power density. With an interference 
filter of 1-nm width, the power incident on the detector 
is 6 X 10" W, corresponding to 2 X 10^ photons per sec- 
dnd or 2X10"^ photons per nanosecond. This quantity 
is approximately two orders of magnitude larger than 
the dark-count probabiHty of Si APD 's, but still compat- 
ible with the requirements of QG. The performance of 
free-space QC systems depends dramatically on atmo- 
spheric conditions arid air quality. This is problematic for 
urban apphcations where pollution and aerosols degrade 
the transparency. of air;. 
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Hie first free-space QC experiment over a distance 
of more tiian a few centimeters'"^ was performed by Ja- 
cobs and Franson in 1996. They exchanged a key over a 
distance of 150 m in a hallway illuminated with standard 
fluorescent lighting and over 75 m outdoors in bright 
daylight without excessive QBER. Hughes and his team 
were the first to exchange a key over more thian one 
kilometer under outdoor nighttime conditions (Buttler 
et al, 1998; Hughes, Buttler, et al, 2000). More recently, 
they even improved their system to reach a distance of 
1.6 km under dayUght conditions (Buttler et al, 2000). 
Finally, Rarity and co-workers performed a similar ex- 
periment, in which they exchanged a key over a distance 
of L9 km under nighttime conditions (Gorman etal, 
2001). 

Until quantum repeaters become available and allow 
us to overcome the distance Hmitation of fiber-based 
QC, free-space systems seem to offer the only possibility 
for QC over distances of more than a few dozen kilome- 
ters. A QC link could be established between ground- 
based stations and a low-orbit (300-1200 km) satellite. 
The idea is for Alice and Bob to each exchange a key 
{kj^ and ks, respectively) with the same sateUite, using 
QC. Then the satellite publicly announces the value K 
= kj^®kQ, where © represents the XOR operator or, 
equivalently, the binary addition modulo 2 without carry. 
Bob subtracts his key from this value to recover Alice's 
(kA^KQkB)."^^ The fact that the key is known to 
the satellite operator may at first be seen as a disadvan- 
tage. But this point might actually be conducive to the 
development of QC, since governments always like to 
control communications. Although it has not yet been 
demonstrated, Hughes as well as Rarity have 
estimated — ^m view of their free-space experiments — 
that the difficulty can be overcome. The main difficulty 
would come from beam pointing — do not forget that the 
sateUites will move with respect to the ground — ^and 
wandering induced by turbulence. In order to minimize 
the latter problem, the photons would in practice prob- 
ably be sent down from the satellite. Atmospheric tur- 
bulence is concentrated almost entirely in the first kilo- 
meter above the earth's surface. Another possibile way 
to compensate for beam wander is to use adaptative op- 
tics. Free-space QC experiments over distances of about 
2 km constitute a major step towards key exchange 
with a satellite. According to Buttler et al (2000), the 
optical depth is indeed similar to the effective atmo- 
spheric thickness that would be encountered in a 
surface-to-satellite application. 

F. Multi-user implementations 

Paul Townsend and colleagues have investigated the 
apphcation of QC over multi-user optical fiber networks 



^Remember that Bennett and co-workers performed the 
first demonstration of QC over 30 cm in air (Bennett, Bessette,. 
etai, 1992). 

"^^This scheme could also be used with optical fiber impiemeri- 
tation provided that secure nodes existed. In the case , of,, a 
satellite, one. tacitly assumes that it constitutes suchi a secure 
node. 
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FIG. 20. Multi-user implementation of quantum cryptography 
with one Alice connected to three Bobs by optical fibers. The 
photons sent by Alice randoinly choose to go to one or the 
other Bob at a coupler. 

(Townsend etal, 1994; Phoenix etal, 1995; Townsend, 
1997b). They used a passive optical fiber network archi- 
tecture in which one Alice, the network manager, is con- 
nected to multiple network users (i.e., many Bobs; see 
Fig. 20), The goal is for Alice to establish a verifiably 
secure and unique key with each Bob. In the classical 
limit, the information transmitted by Alice is gathered 
by all Bobs. However, because of their quantum behav- 
ior, the photons are effectively routed at the beamsplit- 
ter to one, and only one, of the users. Using the double 
Mach-Zehnder configuration discussed above, they 
tested such an arrangement with three Bobs. Neverthe- 
less, because of the fact that QC requires a direct and 
low-attenuation optical channel between Alice and Bob, 
the ability to implement it over large and complex net- 
works appears limited. 

V. EXPERIIVIENTAL QUANTUiVI CRYPTOGRAPHY WiTH 
PHOTON PAIRS 

The possibihty of using entangled photon pairs for 
quantum cryptography was first proposed by Ekert in 
1991. In a subsequent paper, he investigated, with other 
researchers, the feasibihty of a practical system (Ekert 
etal, 1992). Although all tests of Bell's inequaUties (for 
a review see, for example, Zeihnger, 1999) can be seen 
as experiments in quantum cryptography, systems spe- 
cifically designed to meet the special requirements of 
QC, like quick changes of basis, have been implemented 
only recently."*^ In 1999, three groups demonstrated 
quantum cryptography based on the properties of en- 
tangled photons. Their results were reported in the same 
issue of Phys, Rev. Lett. (Jennewein, Simon, etal, 2000; 
Naik et al, 2000; Tittel et al, 2000), illustrating the rapid 
progress in the still new field of quantum communica- 
tion. 

One advantage of using photon pairs for QC is the 
fact that one can remove empty pulses, since the detec- 



/*^This definition of quantum cryptography applies to the fa- 
, mous experiment by Aspect and co-workers testing Bell's in- 
equalities with time-varying analyzers (Aspect et al, 1982). QC 
had, however, not yet been invented. It also, applies to the 
more recent experiments closing locality loopholes, like the 
one performed in Innsbruck, using fast polarization modulators 
(Weihs et dl, 1998) or the one performed in Geneva using two 
analyzers on each side (Tittel et al, 1999; Gisin and Zbinden, 
1999). 
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tion of one photon of a pair reveals the presence of a 
companion. In principle, it is thus possible to have a 
probability of emitting a nonempty pulse equal to one.^^ 
It is beneficial only because currently avaUable single- 
photon detectors feature a high dark-count probability. 
The difficulty of always collecting both photons of a pair 
somewhat reduces this advantage. One frequently hears 
that photon pairs have the advantage of avoiding multi- 
photon pulses, but this is not correct. For a given mean 
photon number, the probability that a nonempty pulse 
contains more than one photon is essentially the same 
for weak pulses as for photon pairs (see Sec. in. A.2). 

A second advantage is that using entangled photons 
pair prevents unintended information leakage in unused 
degrees of freedom (Mayers and Yao, 1998). Observing 
a QBER lower than approximately 15%, or equivalently 
observing that Bell's inequality is violated, indeed guar- 
antees that the photons are entangled, so that the differ- 
ent states are not fully distinguishable through other de- 
grees of freedom. A third advantage was indicated 
recently by new and elaborate eavesdropping analyses. 
The fact that passive state preparation can be imple- 
mented prevents multiphoton splitting attacks (see Sec. 
VIJ). 

The coupling between the optical frequency and the 
property used to encode the qubit, i.e., decoherence, is 
rather easy to master when using faint laser pulses. 
However, this issue is more serious when using photon 
pairs, because of the larger spectral width. For example, 
for a spectral width of 5 nm full width at half maximum 
(FWHM) — a typical value, equivalent to a coherence 
time of 1 ps — ^and a fiber with a typical polarization 
mode dispersion of 0.2 ps/>/km, transmission over a few 
kilometers induces significant depolarization, as dis- 
cussed in Sec. in.B,2. In the case of polarization- 
entangled photons, this effect gradually destroys their 
correlation. Although it is in principle possible to com- 
pensate for this effect, the statistical nature of the polar- 
ization mode dispersion makes this impractical.'*^ 
Although perfectly fitie for free-space QC (see Sec. 
IVE), polarization entanglement is thus not adequate 
for QC over long optical fibers. A similar effect arises 
when dealing with energy-time-entangled photons. 
Here, the chromatic dispersion destroys the strong time 
correlations between the photons forming a pair. How- 
ever, as discussed in Sec. in.B.3, it is possible to com- 
pensate passively for this effect either using additional 
fibers with opposite dispersion, or exploiting the inher- 
ent energy correlatioii of photon pahs. 




p 


Bob 

BS 


PR ^ 


#APD 



/^Photon-pair sources are often, though not always, pumped 
continuously. In these cases, the time window determined by a 
trigger detector and electronics defines an effective pulse. 

■In the case of weak pulses, we saw that a full round trip 
together with the use of Faraday mirrors circumvents the prob- 
lem (see Sec. IV.C.2). However, since the channel loss on the 
way from the source to the Faraday mirror inevitably increases 
the fraction of empty pulses, the main advantage, of photon 
' pairs vanishes in such a coniiguratioii. * 



FIG. 21. Typical system for quantum cryptography exploiting 
photon pairs entangled in polarization: PR, active polarization 
rotator; PBS, polarizing beamsplitter; APD, avalanche photo- 
diode. 



Generally speaking, entanglement-based systems are 
far more complex than setups based on faint laser 
pulses. They will most certainly not be used in the near 
future for the realization of industrial prototypes. In ad- 
dition, the current experimental key creation rates ob- 
tained with these systems are at least two orders of mag- 
nitude smaller than those obtained with faint laser pulse 
setups (net rate on the order of a few tens of bits per 
second, in contrast to a few thousand bits per second for 
a 10-km distance). Nevertheless, they offer interesting 
possibiUties in the context of cryptographic optical net- 
works. The photon-pair source can indeed be operated 
by a key provider and situated somewhere in between 
potential QC customers. In this case, the operator of the 
source has no way of getting any information about the 
key obtained by Alice and Bob. 

It is interesting to emphasize the close analogy be- 
tween one- and two-photon schemes, which was first 
noted by Bennett, Brassard, and Mermin (1992). In a 
two-photon scheme, when Alice detects her photon, she 
effectively prepares Bob's photon in a given state. In the 
one-photon analog, AUce's detectors are replaced by 
sources, while the photon-pair source between Alice and 
Bob is bypassed The difference between these schemes 
hes only in practical issues, Uke the spectral widths of 
the hght. Alternatively, one can look at this analogy 
from a different point of view: in two-photon schemes, it 
is as if AHce*s photon propagates backwards in time 
from Alice to the source and then forward in time from 
the source to Bob, 

A Polarization entanglement 

A first class of experiments takes advantage of 
polarization-entangled photon pairs. The setup, depicted 
in Fig. 21, is similar to the scheme used for polarization 
coding based on faint pulses. A two-photon source emits 
pairs of entangled photons flying back to back towards 
Alice and Bob, Each photon is analyzed with a polariz- 
ing beamsplitter whose orientation with respect to a 
common reference system can be changed rapidly.. The 
results of two experiments were reported in the spring of 
2000 (Jennewein, Simon, er a/., 2000; Naik etal., 2000). 
Both used phototi pairs at' a wavelength of 700 nm, 
which were detected with commercial single-photon de- 
tectors based on sihcon APD's. To create the photon 
pairs, both groups took advantage of parametric down- 
conversion in one or two ^-BaB204 (BBO) crystals 
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FIG. 22. Principle of phase- 
coding quantum cryptography 
using energy-tinie-entangled 
photon pairs. 



pumped by an argon-ion laser. The analyzers consisted 
of fast modulators that were used to rotate the polariza- 
tion state of the photons, in front of polarizing beam- 
splitters. 

The group of Anton Zeilinger, then at the University 
of Innsbruck, demonstrated such a cryptosystem, includ- 
ing error correction, over a distance of 360 m (Jenne- 
wein, Simon, etaL, 2000). Inspired by a test of Bell's 
inequalities performed with the same setup a year ear- 
lier (Weihs etaL, 1998), they positioned the two-photon 
source near the center between the two analyzers. Spe- 
cial optical fibers, designed for guiding only a single 
mode at 700 nm, were used to transmit the photons to 
the two analyzers. The results of the remote measure- 
ments were recorded locally, and the processes of key 
sifting and error correction were implemented at a later 
stage, long after the distribution of the qubits. Two dif- 
ferent protocols were implemented: one based on Wig- 
ner's inequality (a special form of Bell's inequalities) and 
the other based on BB84. 

The group of Paul Kwiat, then at Los Alamos Na- 
tional Laboratory, demonstrated the Ekert protocol 
(Naik et al, 2000). This experiment was a table-top re- 
alization in which the source and the analyzers were 
separated by only a few meters. The quantmn channel 
consisted of a short free-space distance. In addition to 
performing QC, the researchers simulated different 
eavesdropping strategies. As predicted by theory, they 
observed a rise in the QBER with an increase of the 
information obtained by the eavesdropper. Moreover, 
they have also recently implemented the six-state proto- 
col described in Sec. II.D.2 and observed the predicted 
QBER increase to 33%.(Enzer et al, 2001). 

The main advantage of polarization entanglement is 
that analyzers are simple and efficient. It is therefore 
relatively easy to obtain high contrast. Naik and co- 
workers, for example, measured a polarization extinc- 
tion of 97%, mainly limited by electronic imperfections 
of the fast modulators. This amounts to a QBERop, cori- 
tribution of only 1.5%, In addition, the constraint on the 
coherence length of the pump laser is not very stringent 
(note that, if it is shorter than the length of the crystal, 
some difficulties can arise, but we. will not go into these 
here). 



In spite of their qualities, it would be difficult to re- 
produce these experiments over distances of more than 
a few kilometers of optical fiber. As mentioned in the 
introduction to this section, polarization is indeed not 
robust enough to avoid decoherence in optical fibers. In 
addition, the polarization state transformation induced 
by an installed fiber frequently fluctuates, making an ac- 
tive alignment system absolutely necessary. Neverthe- 
less, these experiments are very interesting in the con- 
text of free-space QC. 

B. Energy*time entanglement 

1 . Phase coding 

Another class of experiments takes advantage of 
energy-time-entangied photon pairs. The idea originates 
from an arrangement proposed by Franson in 1989 to 
test Bell's inequalities. As we shall see below, it is com- 
parable to the double Mach-Zehnder configuration dis- 
cussed in Sec. IV.C.l. A source emits pairs of energy- 
correlated photons, that were created at exactly the 
same (unknown) time (see Fig. 22). This can be achieved 
by pumping a nonlinear crystal with a pump of long co- 
herence time. The pairs of downconverted photons are 
then split, and one photon is sent to each party down 
quantum channels. Both Alice and Bob possess a widely 
but identically unbalanced Mach-Zehnder interferom- 
eter, with photon-counting detectors connected to the 
outputs. Locally, if Alice or Bob change the phase of 
their interferometer, no effect on the count rates is ob- 
served, since the imbalance prevents any single-photon 
interference. Looking at the detection time at Bob's end 
with respect to the arrival time at Ahce*s end, three, dif- 
ferent values are possible for each combination of detec- 
tors,. The different possibilities in a time spectrum are 
shown in Fig.. 22. First, both photons can propagate 
through the short arms of the interferometers. Second, 
one can take the long arm at Alice's end, while the other 
one takes the short one at Bob's, or vice versa. Finally, 
both photons can propagate through the long arms. 
. When the path differences of the interferometers are 
matched to within a fraction of the coherence length of 
the downconverted photons,, the short-short and the 
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FIG. 23. System for quantum cryptography based on phase- 
coding entanglement APD, avalanche photodiode. The pho- 
tons choose their bases randomly at Alice and Bob% couplers. 



long-long processes are indistinguishable, provided that 
the coherence length of the pump photon is larger than 
the path-length dii^erence. Conditioning detection 
only on the central time peak, one observes two- 
photon interferences — ^nonlocal quantum correlations 
(Franson, 1989)"^^ — ^that depend on the sum of the rela- 
tive phases in Alice's and Bob's interferometers (see Fig. 
22). The phases of Alice's and Bob's interferometers can, 
for example, be adjusted so that both photons always 
emerge from the same output port. It is then possible to 
exchange bits by associating values with the two ports. 
This, however, is insufficient. A second measurement ba- 
sis must be implemented to ensure security against 
eavesdropping attempts. This measurement can be 
made, for example, by adding a second interferometer 
to the systems (see Fig. 23). In this case, when reaching 
an analyzer, a photon chooses randomly to go to one or 
the other interferometer. The second set of interferom- 
eters can also be adjusted to yield perfect correlations 
between output ports. The relative phases between their 
arms should, however, be chosen so that when the pho- 
tons go to interferometers that are not associated with 
each other, the outcomes are completely uncorrelated. 

Such a system features passive state preparation by 
Alice, yielchng security against multiphoton splitting at- 
tacks (see Sec. VI. J). In addition, it also features a pas- 
sive basis choice by Bob, which constitutes an elegant 
solution: neither a random-number generator nor an ac- 
tive modulator are necessary. It is nevertheless clear that 
QBER^^, and QBER^cc [defined in Eq. (33)] are 
doubled, since the number of activated detectors is twice 
as high. This disadvantage is not as important as it first 
appears, since the alternative, a fast modulator, intro- 
duces losses close to 3 dB, also resulting in an increase 
of these error contributions. The striking similarity be- 
tween this scheme and the double Mach-Zehnder ar- 
rangement discussed in the context of faint laser pulses 
in Sec. IV.C.l is obvious when one compares Figs. 24 
. and 16. 

. This scheme was realized in the first half of 2000 by 
our group at the University of Geneva (Ribordy etqL, 



"^^Thc imbalance of the interferometers must be large enough 
so that the middle peak can easily be distinguished from the 
satellite ones. This minimal imbalance is determined by the 
convolution of the detector's jitter (tens of picoseconds), the 
electronic jitter (from tens to hundreds of picoseconds), and 
the single-photon coherence time (< i ps). 

Rev. Mod. Phys,, Vo!. 74, No. 1, January 2002 



ARce 







Bob ^^^^ 









Source 

FIG. 24. Quantum cryptography system exploiting photons en- 
tangled in energy-time and active basis choice. Note the simi- 
larity to the faint-laser double Mach-2^hnder implementation 
depicted in Fig. 16. 

2001). It was the first experiment in which an asymmet- 
ric setup optimized for QC was used instead of a system 
designed for tests of Bell^ inequality, with a source lo- 
cated midway between Alice and Bob (see Fig. 25). The 
two-photon source (a KNb03 crystal pumped by a 
doubled Nd-YAG laser) provided energy-time- 
entangled photons at nondegenerate wavelengths — one 
at around 810 nm, the other centered at 1550 nm. This 
choice allowed the use of high-efficiency siHcon-based 
single-photon counters featuring low noise to detect the 
photons of the lower wavelength. To avoid the high 
transmission losses at this wavelength in optical fibers, 
the distance between the source iand the corresponding 
analyzer was very short, of the order of a few meters. 
The other photon, at the wavelength where fiber losses 
are minimal, was sent via an optical fiber to Bob's inter- 
ferometer and then detected by InGaAs APD's. The de- 
coherence induced by chromatic dispersion was limited 
by the use of dispersion-shifted optical fibers (see Sec. 
ni.B3), 

Implementing the BB84 protocol in the manner dis- 
cussed above, with a total of four interferometers, is dif- 
ficult. Indeed, they must be aligned and their relative 
phase kept accurately stable during the whole key distri- 
bution session. To simplify this problem, we devised 
birefringent interferometers with polarization multiplex- 
ing of the two bases. Consequently the constraint on the 
stability of the interferometers was equivalent to that 
encountered in the faint-pulse double Mach-Zehnder 
system. We obtained interference visibilities typically of 
91%, yielding m turn a QBER^jp, contribution of about 
4%. We demonstrated QC over a transmission distance 
of 8.5 km in a laboratory setting using a fiber on a spool 
and generated several megabits of key in hour-long ses- 




FIG. 25. Schematic diagram of the first system designed and 
optimized for lonjg-distance quantum cryptography and ex- 
ploiting phase coding of entanigled photons;. 
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FIG. 26, Schematics of quantum cryptography using 
entangled-photon phase-time coding. 



sions. This is the longest span realized to date for QC 
with photon pairs. 

As already mentioned, it is essential for this scheme to 
have a pump laser whose coherence length is longer 
than the path imbalance of the interferometers. In addi- 
tion, its wavelength must remain stable during a key ex- 
change session. These requirements imply that the pump 
laser must be somewhat more elaborate than in the case 
of polarization entanglement. 

2, Phase-time coding 

We have mentioned in Sec. IVC that states generated 
by two-path interferometers are two-level quantiun sys- 
tems. They can also be represented on a Poincare 
sphere. The four states used for phase coding in the pre- 
vious section would lie equally distributed on the equa- 
tor of the sphere. The coupling ratio of the beamsplitter 
is 50%, and a phase difference is introduced between 
the components propagating through either arm. In 
principle, the four-state protocol can be equally well 
implemented with only two states on the equator and 
two others on the poles. In this section, we present a 
system exploiting such a set of states. Proposed by our 
group in 1999 (Brendel et a/., 1999), the scheme follows 
in principle the Franson configuration described in the 
context of phase coding. However, it is based on a 
pulsed source emitting entangled photons in so-called 
energy-time Bell states (Tittel et al, 2000). The emission 
time of the photon pair is therefore given by a superpo- 
sition of only two discrete terms, instead of by a wide 
and continuous range bounded only by the long coher- 
ence length of the pump laser (see Sec. V.B.I). 
. Consider Fig* 26: If Alice registers the arrival times of 
the photons with respect to the emission time of the 
pump pulse /q j she finds the photons in one of three 
time slots (note that she has two detectors to take into 
account). For instance, detection of a photon in the first 
slot corresponds to the pump photon's having traveled 
via the short ami and the downconverted photon's hav- 
ing traveled via the short arm. To keep it simple, we 
refer to this process as Ij)^,!^)^ , where P stands for the 



pump and A for Ahce*s photon."^ However, the charac- 
terization of the complete photon pair is still ambiguous, 
since, at this point, the path of the photon that has trav- 
eled to Bob (short or long in his interferometer) is un- 
known to Alice. Figure 26 illustrates all processes lead- 
ing to a detection in the different time slots both at 
AHce's and at Bob's detector. Obviously,, this reasoning 
holds for any combination of two detectors. In order to 
build up the secret key, Alice and Bob now publicly 
agree about the events when both detected a photon in 
one of the satellite peaks — ^without revealing in which 
one — or both in the central peak — ^without reveahng in 
which detector. This procedure corresponds to key sift- 
ing. For instance, in the example discussed above, if Bob 
tells Ahce that he has detected his photon in a satellite 
peak, she knows that it must have been the left peak. 
This is because the pump photon has traveled via the 
short arm, hence Bob can detect his photon either in the 
left satellite or in the central peak. The same holds for 
Bob, who now knows that Alices photon traveled via 
the short arm in her interferometer. Therefore, in the 
case of joint detection in a satellite peak, Alice and Bob 
must have correlated detection times. Assigning a bit 
value to each side peak, Alice and Bob can exchange a 
sequence of correlated bits. 

The cases where both find the photon in the central 
time slot are used to implement the second basis. They 
correspond to the |j>/»,|/)aIOb ^md |Oi».l^)^l*)B possi- 
bilities. If these are indistmguishable, one obtains two- 
photon interferences, exactly as in the case discussed in 
the previous section on phase coding. Adjusting the 
phases and keeping them stable, one can use the perfect 
correlations between output ports chosen by the pho- 
tons at Ahce's and Bob's interferometers to establish the 
key bits in this second basis. 

Phase-time coding has recendy been implemented in a 
laboratory experiment by our group (Tittel etal^ 2000) 
and was reported at the same time as the two polariza- 
tion entanglement-based schemes mentioned above. A 
contrast of approximately 93% was obtained, yielding a 
QBERcp, contribution of 3.5%, similar to that obtained 
with the phase-coding scheme. This experiment will be 
repeated over long distances, since losses in optical fi- 
bers are low at the downconverted photon wavelength 
(1300 nm). 

An advantage of this setup is that coding in the time 
basis is particularly stable. In addition, the coherence 
length of the pump laser is no longer critical. However, it 
is necessary to use relatively short pulses («500ps) 
powerful enough to induce a significant downconversion 
probabihty. 

Phase-time coding, as discussed in this section, 
can also be reaUzed with faint laser pulses (Bechmann- 
Pasquinucd and Tittel, .2000). The one-photon configu- 
ration has so far never been realized; It would be similar 
to the double Mach-Zehrider setup discussed iii Sec. 
iV.C.l, but with the first coupler replaced by an active 



^Note that it does not constitute a product state. 
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switch. For the time basis, Alice would set the switch 
either to full transmission or to full reflection, while for 
the energy basis she would set it at 50%. This illustrates 
how research on photon pairs can yield advances on 
faint-pulse systems. 

3. Quantum secret sharing 

In addition to QC using phase- time coding, we used 
the setup depicted in Fig. 26 for the first proof-of- 
prindple demonstration of quantum secret sharing— the 
generalization of quantum key distribution to more than 
two parties (Tlttel et al, 2001). In this new appUcation of 
quantum communication, Alice distributes a secret key 
to two other users, Bob and Charlie, in such a way that 
neither Bob nor Charlie alone has any information 
about the key, but together they have full information. 
As in traditional QC, an eavesdropper trying to get 
some information about the key creates errors in the 
transmission data and thus reveals her presence. The 
motivation behind quantum secret sharing is to guaran- 
tee that Bob and Charlie cooperate— one of them might 
be dishonest — ^in order to obtain a given piece of infor- 
mation. In contrast with previous proposals using three- 
particle Greenberger-Home-Zeilinger states (Zukowski 
et al, 1998; HiUery etal, 1999), pairs of entangled pho- 
tons in so-called energy-time Bell states were used to 
mimic the necessary quantum correlation of three en- 
tangled qubits, although only two photons exist at the 
same time. This is possible because of the symmetry be- 
tween the preparation device acting on the pump pulse 
and the devices analyzing the downconverted photons. 
Therefore the emission of a pump pulse can be consid- 
ered as the detection of a photon with 100% efficiency, 
and the scheme features a much higher coincidence rate 
than that expected with the initially proposed "triple- 
photon'' schemes. 

VI. EAVESDROPPING 

A. Problems and objectiviBs 

After the qubit exchange and basis reconciliation, Al- 
ice and Bob each have a sifted key. Ideally, these keys 
are identical. But in real life, there are always some er- 
rors, and Alice and Bob must apply some classical infor- 
mation processing protocols, lOce error correction and 
privacy amplification to their data (see Sec. ILC.4). The 
first protocol is necessary to obtain identical keys and 
the second to obtain a secret key Essentially, the prob- 
lem of eavesdropping is to find protocols which, given 
that Alice and Bob can only measure the QBER, either 
provide Ahce and Bob with a verifiably secure key or 
stop the protocol and inform the users that the key dis- 
tribution, has failed. This is a deUcate problem at the 
intersection of quantum physics and information theory. 
Actually, it comprises several eavesdropping problems, 
depending on the precise protocol, the degree of idealiT 
zation one. admits, the technological power one assumes 
Eve has, and the assumed fideUty of Alice and Bob's 
equipment. Let us immediately stress that a complete 
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analysis of eavesdropping on a quantum channel has yet 
to be achieved. In this section we review some of the 
problems and solutions, without any claim for math- 
ematical rigor or complete coverage of the huge and 
rapidly evolving literature. 

The general objective of eavesdropping analysis is to 
find ultimate and practical proofe of security for some 
quantum cryptosystenis. /^Ultimate proofs" guarantee 
security against entire daisses of eavesdropping attacks, 
even if Eve uses not only the best of today's technology, 
but any conceivable future technology. These proofe 
take the form of theorems, with clearly stated assump- 
tions expressed in mathematical terms. In contrast, prac- 
tical proofs deal with some actual pieces of hardware 
and software. There is thus a tension between "ulti- 
mate" and "practical" proofs. Indeed, the former favor 
general abstract assumptions, whereas the latter concen- 
trate on physical implementations. Nevertheless, it is 
worth finding such proofs. In addition to the security 
issue, they provide illuminating lessons for our general 
understanding of quantum information. 

In the ideal game Eve has perfect technology: she is 
limited only by the laws of quantum mechanics, but not 
at all by current technology. In particular, Eve cannot 
clone qubits, as this is incompatible with quaintum dy- 
namics (see Sec. ILC.2), but she is free to use any uni- 
tary interaction between one or several qubits and an 
auxiliary system of her choice. Moreover, aifter the inter- 
action, Eve may keep her auxiliary system unperturbed, 
in complete isolation from the environment, for an arbi- 
trarily long time. Finally, after listening to all the public 
discussion between Alice and Bob, she can perform the 
measurement of her choice on her system, being again 
limited only by the laws of quantum mechanics. One 
assumes further that all errors are due to Eve. It is 
tempting to assume that some errors are due to Alice's 
and Bob's instruments, and this probably makes sense in 
practice. However, there is the danger of Eve's replacing 
them with higher-quality instruments (see the next sec- 
tion). 

In the next section we elaborate on the most relevant 
differences betwe^en the above ideal game (ideal espe- 
cially from Eve's point of view) and real systems. Next, 
we return to the idealized situation and present several 
eavesdropping strategies, starting from the simplest, in 
which explicit formulas can be written down, and ending 
with a general abstract security proof. Finally, we discuss 
practical eavesdropping attacks and comment on the 
complexity of a real system's security. 

B. idealized versus real implementation 

Alice and Bob use the technology . available today. 
This trivial remark has several imphcations. First, all 



'^^The question of whether QC would survive the discovery of 
the currently unknown validity limits of quantum mechanics is 
interesting. Let us argue that it is likely that quantum mechan- 
ics will always adequately describe photons at telecommunica- 
tions and visible wavelengths, just as classical mechanics will 
always adequately ..describe the fall of apples* whatever the 
future of physics may be. 
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real components are imperfect, so that the qubits are not 
prepared and detected in the exact basis described by 
the theory. Moreover, a real source always has a finite 
probability of producing more than one photon. De- 
pending on the details of the encoding device, all pho- 
tons carry the same qubit (see Sec. VIJ). Hence, in prin- 
ciple, Eve could measure the photon number without 
perturbing the qubit. This scenario is discussed in Sec. 
VI.H. Recall that, ideally, Alice should emit single-qubit 
photons, i.e., each logical qubit should be encoded in a 
single degree of freedom of a single photon. 

On Bob's side the efficiency of his detectors is quite 
limited and the dark counts (spontaneous counts not 
produced by photons) are non-negUgible. The limited 
e^dency is analogous to the losses in the quantum 
channel. The analysis of the dark counts is more deU- 
cate, and no complete solution is known. Conservatively, 
Liitkenhaus (2000) assumes in his analysis that all dark 
counts provide information to Eve. He also advises that, 
whenever two detectors fire simultaneously (generally 
due to a real photon and a dark count), Bob should not 
disregard such events but should choose a value at ran- 
dom. Note also that the different contributions of dark 
counts to the total QBER depend on whether Bob's 
choice of basis is implemented using an active or a pas- 
sive switch (see Sec. IV.A). 

Next, one usually assumes that Alice and Bob have 
thoroughly checked their equipment and that it is func- 
tioning according to specifications. This assumption is 
not unique to quantum cryptography but is critical, as 
Eve could be the actual manufacturer of the equipment. 
Classical cryptosystems must also be carefully tested, 
like any commercial apparatus. Testing a cryptosystem is 
tricky, however, because in cryptography the client buys 
confidence and security, two quahties difficult to quan- 
tify. Mayers and Yao (1998) proposed using Bell*s in- 
equality to test whether the equipment really obeys 
quantum mechanics, but even this is not entirely satis- 
factory. Interestingly, one of the most subtle loopholes in 
all present-day tests of Bell's inequality, the detection 
loophole, can be exploited to produce purely classical 
software mimicking all quantum correlations (Gisin and 
Gisin, 1999). This illustrates once again the close con- 
nection between practical issues in QC and philosophi- 
cal debates about the foundations of quantum physics. 

Finally, one must assume that Alice and Bob are per- 
fectly isolated from Eve. Without such an assumption 
the entire game would be meaningless: clearly, Eve is 
not allowed to look over Alice*s shoulder. However, this 
elementary assumption is again nontrivial. What if Eve 
uses the quantum channel connecting Alice to the out- 
side world? Ideally, the channel should incorporate an 
isolator^^ to keep Eve from shining light into Alice's out- 
put port to examine the interior of her laboratory, Since 
all isolators operate only on a finite bandwidth, there 
should. also be a filter, but filters have only, a finite effi- 



'^^Optical isolators, based on the Faraday effect, let light pass 
through in only one direction. 
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ciency, and so on. Except for Sec. VI.K, in which this 
assumption is discussed, we shall henceforth assume that 
Alice and Bob are isolated from Eve. 

C. Individual, joint, and collective attacks 

In order to simplify the problem, several eavesdrop- 
ping strategies of limited generality have been defined 
(Liitkenhaus, 1996; Biham and Mor, 1997a, 1997b) and 
analyzed. Of particular interest is the assumption that 
Eve attaches independent probes to each qubit and 
measures her probes one after the other. This class of 
attack is called the individual attack, or incoherent at- 
tack. This important class is analyzed in Sees. VI,D and 
VI.E. IWo other classes of eavesdropping strategies let 
Eve process several qubits coherently, hence the name 
coherent attacks. The most general coherent attacks are 
called joint attacks, while an intermediate class assumes 
that Eve attaches one probe per qubit, as in individual 
attacks, but can measure several probes coherently, as in 
coherent attacks. This intermediate class is called the 
collective attack It is not known whether this class is less 
efficient than the most general class, that of joint attacks. 
It is also not known whether it is more efficient than the 
simpler individual attacks. Actually, it is not even known 
whether joint attacks are more efficient than individual 
ones. 

For joint and collective attacks, the usual assumption 
is that Eve measures her probe only after Ahce and Bob 
have completed all public discussion about basis recon- 
ciliation, error correction, and privacy amplification. For 
the more realistic individual attacks, one assumes that 
Eve waits only until the basis reconciliation phase of the 
public discussion.^^ The motivation for this assumption 
is that one hardly sees what Eve could gain by waiting 
until after the public discussion on error correction and 
privacy amplification before measuring her probes, since 
she is going to measure them independentiy anyway. 

Individual attacks have the nice feature that the prob- 
lem can be entirely translated into a classical one: Alice, 
Bob, and Eve all have classical information in the form 
of random variables a, fi, and e, respectively, and the 
laws of quantum mechanics impose constraints on the 
joint probability distribution ?(a,^,e). Such classical 
scenarios have been widely studied by the classical cryp- 
tology community, and many of their results can thus be 
directly apphed. 

D. Simple individual attacks: Intercept-resend and 
measurement in the intermediate basis 

The simplest attack for Eve consists in intercepting all 
photons individually, measuring them in a basis chosen 
randomly between the two baseis used by Alice, and 
seiiding .new photons to Bob prepared according to her 



^^ith today's technology, it might even be fair to assOme 
that in individual attacks Eve mu$t measure her probe before 
the basis reconciliation. 
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FIG. 27. Poincare representation of the BB84 states and the 
intermediate basis, also known as the Breidbart basis, that can 
be used by Eve. 



result. As presented in Sec. n.C3 and assuming that the 
BB84 protocol is used, Eve thus gets 0.5 bits of informa- 
tion per bit in the sifted key, for an induced QBER of 
25%. Let us illustrate the general formalism with this 
simple example. Eve's mean information gain on Alice*s 
bit, /(a,e), equals their relative entropy decrease: 

I{a,€)-Ha priori" posteriori > (40) 

i.e., I{a,p) is the number of bits one can save by writing 
a when knowing ^. Since the a priori probability for 
Alice*s bit is uniform, HapHoTi-^- The a posteriori en- 
tropy has to be averaged over all possible results r that 
Eve might get: 



posuriori-^ P{r)H{i\r), 



i^(i|r) = -EP(i|r)log2[P(i|r)], 



(41) 



(42) 



where the a posteriori probability of bit t, given Eve's 
result r, is given by Hayes's theorem: 



P(z|r) = 



P{r\i)P{i) 
P{r) ' 



(43) 



with P(r) = 2fF(r|/)/'(/). In the case of intercept re- 
send, Eve gets one out of four possible results: r 
^{T,i,^,— After the basis has been revealed, Alice's 
input assumes one of two values: / e {t ,i} (assuming the 
1 1 basis was used, the other case is completely analo- 
gous). One gets ?(i=||r=T) = l, ^(i=Tk=->) = i, 
and P{r) = l Hence. /(tr,6)-l-iA(l)-ift(i) = l-| 

= i [with h{p)^p I0g2(p) + (l-p)l0g2(l-p)]. 

Another strategy for Eve, no more difficult to imple- 
ment, consists in measuring the photons in the interme- 
diate basis (see Fig. 27), also known as the Breidbart 
basis (Bennett, Bessette, etal., 1992). In this case the 
probabiUty that Eve guesses the correct bit value is p 
= cos(7r/8)^ = J + v5/4 «*0.854, coirespdnding . to a 
QBER=^2p(l-p)=25% and a Shannoii: information 
gain per bit of 




perturbation 



information 



/=l-/f(p)«'0.399. 



(44). 



FIG. 28. Eavesdropping on a quantum channel. Eve extracts 
information from the quantum channel between Alice and 
Bob at the cost of introducing noise into that channel 

Consequently, this strategy is less advantageous for Eve 
than the intercept-resend strategy. Note however, that 
with this strategy Eve's probability of guessing the cor- 
rect bit value is 85%, compared to only 75% in the 
intercept-resend case. This is possible because in the lat- 
ter case, Eve's information is deterministic in half the 
cases, while in the former Eve^ information is always 
probabilistic (formally, this results from the convexity of 
the entropy function). 



E. Symmetric individual attacks 

In this section we present in some detail how Eve 
could get the maximum Shannon information for a fixed 
QBER, assuming a perfect single-qubit source and re- 
stricting Eve to attacks on one qubit after the other (i.e., 
individual attacks). The motivation is that this idealized 
situation is rather simple to treat and nicely illustrates 
several of the subtleties of the subject. Here we concen- 
trate on the BB84 four-state protocol; for related results 
on the two-state and six-state protocols, see Fuchs and 
Peres (1996) and Bechmann-Pasquinucci and Gisin 
(1999), respectively. 

The general idea of eavesdropping on a quantum 
channel is as follows. When a qubit propagates from Al- 
ice to Bob, Eve can let a system of her choice, called a 
probe, interact with the qubit (see Figr 28). She can 
freely choose the probe and its uiitial state, but the sys- 
tem must obey the rules of quantum mechanics (i.e., be 
described in some Hilbert space). Eve can also choose 
the interaction, but it should be independent of the qu- 
bit state, and she should obey the laws of quantum me- 
chanics; i.e., her interaction must be described by a uni- 
tary operator. After the interaction a qubit has to go to 
Bob (in Sec. VI.H we consider lossy channels, so that 
Bob does not always expect a qubit, a fact that Eve can 
take advantage of). It makes no difference whether this 
qubit is the original one (possibly in a modified state). 
Indeed, the question does not even make sense, since a 
qubit is nothing but a qubit. However, in the formalism 
it is convenient to use the same Hilbert space for the . 
qubit sent by Ahce as for the qubit received by Bob (this 
is no loss of generality, since the swap operator^efined 
by i//^ (p-^ <f>0 t/f for all f^,<^is unitary and could be ap- 
pended to Eve*s interactibn). 
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FIG. 29. Poincare representation of BB84 states in the event 
of a symmetrical attack. The state received by Bob after the 
mteraction .of Eve*s probe is related to the one sent by Alice by 
a simple shrinking factor. When the unitary operator U en- 
tangles the qubit and Eve*s probe, Bob's state [Eq. (46)] is 
mixed and is represented by a point inside the Poincare 
sphere. 

Let TiEve C^®HEve ^® the Hilbert spaces of Eve's 
probe £ind of the total qubit + probe system, respectively. 
K |m), |0), and U denote the qubit*s and the probe's 
initial states and the unitary interaction, respectively, 
then the state of the qubit received by Bob is given by 
the density matrix obtained by tracing out Eve's probe: 

The symmetry of the BB84 protocol makes it very natu- 
. ral to assume that Bob's state is related to Ahce's |m) by 
a simple shrinking factor^° 37 e [0,1] (see Fig. 29): 



1+ r)ma- 



(46) 



Eavesdropping attacks that satisfy the above condition 
are called symmetric-attacks. 

Since the qubit state space is two dimensional, the 
unitary operator is entirely determined by its action on 
two states, for example, the |t) and |i) states (in this 
section we use spin-5 notation for the qubits). After the 
unitary interaction, it is convenient to write the states in 
the Schmidt form (Peres, 1997): 



t/|T,0)=|T)®^T+U)®^T' 
f/|i,O)=U)®01+|T)®^i. 
where the four states 0| , 0| , d-x 



(47) 
(48) 



7| , and ^1 belong to the 
Hilbert space of Eve's probe 71^^^ satisfy <^|X 9^ and 
<i>ll.d^. By symmetry |</»|p=|<^|p-.F and |^tI^==I^iI^ 
=P. Unitarity imposes jp'+r=l and 



^^Fuchs and Peres were the first to derive the result presented 
in this sectioii, using numerical optimization. Almost simulta- 
neously, it was derived by Robert Griffiths and his student 
Chi-Sherig Niu under very general conditions, and by Nicolas 
Gisin using the symmetry argument presented here. These five 
authors joined forces to produce a single paper (Fuchs er a/., 
1^97). The result of this section is thus also valid without this 
symmetry assumption. 



<*Tl^i) + {<^Tl^i>=0- (49) 
The ^'s correspond to Eve's state when Bob receives the 
qubit undisturbed, while the ^s are Eve*s state when the 
qubit is disturbed. 

Let us emphasize that this is the most general imitary 
interaction satisfying Eq. (46). One finds that the shrink- 
ing factor is given by rj^T-V, Accordingly, if Alice 
sends |T) and Bob measures it in the compatible basis, 
then {'\\pBob{^)\})=^^ the probability that Bob gets 
the correct result. Hence ^ is the fidelity and P the 
QBER. 

Note that only four states span Eve's relevant state 
space. Hence Eve's effective Hilbert space is at most 
four dimensional, no matter how subtle she might be.^^ 
This greatly simplifies the analysis. 

Symmetry requires that the attack on the other basis 
satisfy 



y|^,0)-£/ 



|T, 0)+U,0) 



=— (lt)®0T + li)®^T 

+U)®^i+lT)®^i) 



where 



(50) 

(51) 

(52) 
(53) 

(54) 
(55) 

(56) 
(57) 



<;6^=2(^T+^T'*"^i+^l)» 
1 

^^=2(<^T-^T-^i+^l)- 
Similarly, 

1 

«;«»^=2'(0t-^r+*i-^i). 
1 

Condition (46) for the {|— )} basis- imphes that 
6^ <l>^ and 0^ <t>^ . By proper choice of the phases, 
can be made real. By condition (49), (^||<^|) is 
then also real. Symmetry implies that (0_,|^^)eRe. A 
straightforward computation concludes that all scalar 
products among Eve's states are real and that the <t>'s 
generate a subspace orthogonal to the ^s: 

(^tl^i) = (<Ail^T>-0. ■ (58) 
Finally, using i.e., that the shrinking is the 

same for all states, one obtains a relation between the 
probe states' overlap and the fidehty: 



Actually, Niu and Griffiths (1999) showed that two- 
dimensional probes suffice for Eve to get as much information 
as with the strategy presented here, though in their case the 
attack is not syinmetric .(ohe basis is more disturbed than the 
other); 
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(59) 



where the hats denote normalized states, e.g., At 
= 012?-^. . ^ 

. Consequently the entire class of symmetric individual 
attacks depends only on two real parameters:^^ co5(;c) 
-(^ll^l) and cos(y)-(§||§|). 

Thanks to symmetry, it suffices to analyze this sce- 
nario for the case when Alice sends the |T) state and 
Bob measures in the {T,i} basis (if not, Alice, Bob, and 
Eve disregard the data). Since Eve knows the basis, she 
knows that her probe is in one of the following two 
mixed states: 



(60) 



PEve(l) = ^(4>iH'DP{9{), (61) 

An optimum measurement strategy for Eve to distin- 
guish between pEvei^) and psveil) consists in first de- 
termining whether her state is in the subspace generated 
by and or the one generated by 6^ and . This is 
possible, since the two subspaces are mutually orthogo- 
nal. Eve must then distinguish between two pure states 
vwth an overlap of either cos jc or cosy. The first alterna- 
tive occurs with probability .F. the second with probabil- 
ity V. The optimal measurement distinguishing two 
states with overlap cosjc is known to provide Eve with 
the correct guess with probability [H-sin(;c)]/2 (Peres, 
1997). Eve's maximal Shannon information, attained 
when she performs the optimal measurements, is thus 
given by 



/(a,e)=jr. 



1-h 



l-\-sinx 



1 + siny 



(62) 



where h(p) = ''p log2(p)-(l-p)log2(l~p). For a given 
error rate P, this information is maximal when x—y. 
Consequently, for V= [1 -cos(;c)]/2, one obtains: 



/^(a,e)=l-/i 



1 + sinjc 



(63) 



This provides the explicit and analytic optimum eaves- 
dropping strategy. For x=0 the QBER (i.e., V) and the 
information gain are both zero. For Ji£:= 7r/2 the QBER is 
5 and the information gain 1. For smaU QBER's, the 
information gain grows linearly: 



(64) 



Interestingly, when the symmetry is extended to a third 
maximally conjugated, basis, as is natural in the six-state pro- 
tocol of Sec. II.D.2, the number of parameters reduces to one. 
This parameter measures the relative, quality of Bob's and 
Eve's "copy" of the qubit sent by Alice. When both copies are 
of equal quality, oiie recovers the optimal cloning presented in 
Sec. ir.F (Bechmann-Piasquiriucci and. Gisin, 1999). 
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FIG. 30. Eve^s and Bob's mformation vs the QBER, here plot- 
ted for incoherent eavesdropping on the four-state protocol. 
For QBER^ below QBERo, Bob has more mformation than 
Eve, and secret-key agreement can be achieved using classical 
error conection and privacy amplification, which can, in prin- 
dple, be uxiplemented using only one-way communication. 
The secret-key rate can be as large as the information differ- 
ences. For QBER'Ss above QBERo (=^o). Bob has a disad- 
vantage with respect to Eve. Nevertheless, Alice and Bob can 
apply quantum privacy amplification up to the QBER corre- 
sponding to the intercept-resend eavesdropping strategies (IR4 
and IR^ for the four-state and six-state protocols, respectively). 
Alternatively, they can apply a classical protocol called advan- 
tage distillation, which is effective up to precisely the same 
maximal QBER IR4 and IR^ . Both the quantum and the clas- 
sical protocols require two-way communication. Note that for 
the eavesdropping strategy that will be optimal, from Eve 
Shannon point of view, on the four-state protocol, QBERo 
should correspond precisely to the noise threshold above 
which a Bell^ inequality can no longer be violated. 



Once Alice, Bob, and Eve have measured their quan- 
tmn systems, they are left with classical random vari- 
ables a, ^, and e, respectively. Secret-key agreement be- 
tween Alice and Bob is then possible using only error 
correction and privacy amplification if and only if the 
Alice-Bob mutual Shannon information I{a,fi) is 
greater than the Alice-Eve or the Bob-Eve mutual 
information,^^ I{a,p)>I{a,€) or I(a,fi)>I(/3,€). It is 
thus interesting to compare Eve's maximal information 
[Eq. (64)] with Bob's Shannon information. The latter 
depends only on the error rate V: 



(65) 



. = l+X>log2(2?)+(l-7:))log2(l-P). (66) 

Bob's and Eve's information are plotted in Fig. 30. As 
expected, for low error rates P, Bob's information is 
greater. But, more errors provide Eve with, more infor- 



^^Note, however, thiat if this condition is not satisfied, other 
protocols might sometimes be used; see Sec. II.C.5. These pro- 
tocols are significanUy less efficient and are usually not consid- 
ered as part of "standard" QC. Note also that, in the scenario 
analyzed irt this section, /(^, e) = /( a, e) . 



Rev. Mod. Phys., Vol. 74, No. 1, January 2002 



94 



Gisin et at.: Quantum cryptography 



185 



mation, while decreasing Bob's information. Hence both 
information curves cross at a specific error islIc Vq: 

Consequently the security criterion against individual at- 
tacks for the BB84 protocol is 

1-1/V5 

BB84 secure<^D<I>o« — ^ — • (^^^ 

For QBER*s greater than Vq , no (one-way communi- 
cation) error correction and privacy amplification proto- 
col can provide Alice and Bob with a secret key that is 
inmiune to any individual attacks. 

Let us mention that there exists a dass of more gen- 
eral classical protocols, called advantage distillation (Sec, 
n.C.5), which uses two-way communication. These pro- 
tocols can guarantee secrecy if and only if Eve's inter- 
vention does not disentangle AJice and Bob's qubits (as- 
suming they use the Ekert version of the BB84 protocol; 
Gisin and Wolf, 2000). If Eve optimizes her Shannon 
information as discussed in this section, this disentangle- 
ment limit corresponds to a QBER= 1 - 1/V2«30% (Gi- 
sin and Wolf, 1999). However, using more brutal strate- 
gies, Eve can disentangle Alice and Bob's qubits for a 
QBER of 25%; see Fig. 30. The latter is thus the abso- 
lute upper limit, taking into account the most general 
secret-key protocols. In practice, the limit (67) is more 
realistic, since advantage distillation algorithms are 
much less efficient than classical privacy amphfication 
algorithms. 

F. Connection to Bell's InequsUity 

There is an intriguing connection between the tight- 
bound [Eq, (68)] and the aauser-Home-Shimony-Holt 
(CHSH) form of Bell's inequality (Bell, 1964; Clauser 
et aL, 1969; Clauser and Shimony, 1978; Zeihnger, 1999): 

S^E(a) + E{a,b'HE(a\b)-E{a' ,b')^Z (69) 

Here E(a,b) is the correlation between Alice and Bob*s 
data when measuring Ca^l and 10(7-^, where org de- 
notes an observable with eigenvalues ±1 parametrized 

by the label a. Recall that Bell's inequahties are neces- 
sarily satisfied by ail local models but are violated by 
quantum mechanics.^ To estabUsh this connection, as- 
sume that the same quantum channel is used to test 
Bell's inequahty. It is well known that, for error-free 
channels, a maximal violation by a factor Vi is achiev- 
able: 5max=2V2>2, However, if the channel is imperfect. 



^'^Let us stress that the CHSH-Bell's inequality is the stron- 
gest possible for two qubits. Indeed, this inequality is violated 
if and oiily if the correlation cannot be reprojduced by a local 
hidden-variable model (Pitowski, 1989). 



or equivalently if some perturbing Eve acts on the chan- 
nel, then the quantum correlation E(a,b\V) is reduced: 

JB(fl.&|2?)=^.£(a,&)-2).£(fl.^) (70) 

-(l-2P).£(a,ft), (71) 

where E(ayb) denotes the correlation for the unper- 
turbed channel. The achievable amount of violation is 
then reduced to S^{V)=^(1-2V)2\/1, and for large 
perturbations no violation at all can be achieved. Inter- 
estingly, the critical perturbation T> up to which a viola- 
tion can be observed is precisely the same Vq as the limit 
derived in the previous section for the security of the 
BB84 protocol: 

1-1/vl 

^max(^)>2^P<PoS ^ . (72) 

This is a surprising and appealing connection between 
the security of QC and tests of quantum nonlocality. 
One could argue that this connection is quite naturai, 
since, if Bell's inequality were not violated, then quan- 
tum mechanics would be incomplete, and no secure 
communication could be based on such an incomplete 
theory. In some sense, Eve's information is like probabi- 
listic local hidden variables. However, the connection 
between Bqs. (68) and (72) has not been generalized to 
other protocols. A complete picture of these connec- 
tions is thus not yet available. 

Let us emphasize that nonlocahty plays no direct role 
in QC. Indeed, Alice is generally in Bob's absolute past 
Nevertheless, Bell's inequality can be violated by space- 
like separated events as weU as by timehke separated 
events. However, the independence assumption neces- 
sary to derive Bell's inequaUty is justified by locahty con- 
siderations only for spacelike separated events. 



G. Ultimate security proofs 

The security proof of QC with a perfect apparatus and 
a noise-free channel is straightforward. However, the 
fact that security can still be proven for an imperfect 
apparatus and noisy channels is far from obvious. 
Clearly, something has to be assumed about the appara- 
tus. In this section we simply make the hypothesis that 
they are perfect. For the channel that is not under Alice 
and Bob's control, however, iiothing is assumed The 
question is then Up to what QlBER can Alice and Bob 
apply error correction and privacy amplification to their 
classical bits? In the previous sections vi^e found that the 
threshold is close to a QBER of 15 %, assuming indi- • 
vidual attacks. In principle Eve could manipulate sieveral 
qubits coherently. How much help to Eve this possibiUty 
provides is still unknown, though some bounds are 
known. In 1996, Dominic Mayers (1996b) presented the 
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main ideas on how to prove security.^^ In 1998, two ma- 
jor papers were made public on the Los Alamos archives 
(Mayers, 1998, and Lo and Chau, 1999). Today, these 
proofs are generally considered valid, thanks to the 
work of— among others— Shor and Preskill (2000), In- 
amori et al (2001), and Biham et al (1999). However, it 
is worth noting that during the first few years after the 
initial disclosure of these proofs, hardly anyone in the 
community understood them. 

Here we shall present the argument in a form quite 
different from the original proofe. Our presentation 
aims at being transparent in the sense that it rests on two 
theorems. The proofs of the theorems are difficult and 
will be omitted. However, their claims are easy to under- 
stand and rather intuitive. Once one accepts the theo- 
rems, the security proof is straightforward. 

The general idea is that at some point Alice, Bob, and 
Eve perform measurements on their quantvun systems. 
The outcomes provide them with classical random vari- 
ables a, and €, respectively, with P{ayP,€) the joint 
probabihty distribution. The first theorem, a standard of 
classical information-based cryptography, states the nec- 
essary and suffident condition on P{a,fi,€) for Alice 
and Bob to extract a secret key from P(a,p,€) (Csiszar 
and Komer, 1978). The second theorem is a clever ver- 
sion of Heisenberg's uncertainty relation expressed in 
terms of available information (Hall, 1995): it sets a 
bound on the sura of the information about Alice's key 
available to Bob and to Eve. 

Theorem 1. For a given P{a,p,€)\ Alice and Bob can 
estabhsh a secret key (using only error correction and 
classical privacy ampUfication) if and only if /(a,)3) 
^/(a,6) or I{a,0)^I{p,€), where I(a,p)-=H{a) 
—H(a\p) denotes the mutual information and H is the 
Shannon entropy. 

Theorem 2. Let E and B be two observables in an 
N-dimensional Hilbert space. Let /3, and |^) be 
the corresponding eigenvalues and eigenvectors, respec- 
tively, and let c=max^^|(€|^|}. Then 

/(a,€)-h/(a,)3)^21og2(iVc), . (73) 

where /(a,6)=/f(a)~/f(a|e) and I(a,/3) = H(a) 
-H{a\p) are the entropy differences corresponding to 
the probability distribution of the eigenvalues a prior to 
and deduced from any measurement by Eve and Bob, 
respectively. 

The first theorem states that Bob must have more in- 
fonnation about Alice's bits than does Eve (see Fig. 31). 



^^One of the authors (N.G.) vividly remembers the 1996 In- 
stitute for Scientific Interchange workshop in Torino, Italy, 
sponsored by Elsag Bailey, where he ended his talk by stress- 
ing the iiiiportance of security proofs. Dominic Mayers stood 
up, gave some explanation, and wrote a formula on a transpar- 
ency claiming that this was the result of his proof. We think it 
is fair to say that no one in the audience understood Mayers' 
explanation. However, N.G. kept the transparency, and it con- 
tains the basic Eq, (75) (up to a factor of 2, which corresponds 
to an improvement of Mayer's result obtained in 2000 by Shor 
and Preskill, using ideas from Lo and Chau). 
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FIG. 31. Intuitive illustration of Theorem 1. The initial situa- 
tion is depicted in (a). During the one-way public discussion 
phase of the protocol, Eve receives as much mforraation as 
Bob; the initial information difference S thus remains. After 
error correction, Bob's information equals 1, as illustrated in 

(b) . After privacy amplification Eve^ information is zero. In 

(c) Bob has replaced with random bits all bits to be disre- 
garded. Hence the key still has its original length, but his in- 
formation has decreased. Finally, in (d) removal of the random 
bits shortens the key to the initial information difference. Bob 
has full information on this final key, while Eve has none. 

Since error correction and privacy amplification can be 
implemented using only one-way communication, Theo- 
rem 1 can be imderstood intuitively as follows. The ini- 
tial situation is depicted in Fig. 31(a). During the public 
phase of the protocol, becaiise of the one-way commu- 
nication. Eve receives as much information as Bob. The 
initial information difference S thus remains. After error 
correction, Bob's information equals 1, as illustrated in 
Fig. 31(b), After privacy amplification Eve's information 
is zero. In Fig. 31(c) Bob has replaced all bits to be 
disregarded by random bits. Hence the key still has its 
original length, but his information has decreased. Fi- 
nally, upon removal of the random bits, the key is short- 
ened to the initial information difference S] see Fig, 
31(d). Bob has full information about this final key, 
while Eve has none. 

The second theorem states that if Eve performs a 
measurement providing her with some- information 
/(a,€), then, because of the perturbation, Bob's infor- 
mation is necessarily Umited Using these two theorems, 
the argument now runs as follows. Suppose AHce sends 
out a large number of qubits and that n are received by 
Bob in the correct basis. The relevant Hilbert space's 
dimension is thus N=2". Let us relabel the bases used 
for each of the n qubits such that Alice uses n times the 
X basis. Hence Bob's observable is the Ai-time tensor 
product a-x^-'-^ajf. By symmetry, Eve's optimal infor- 
mation about the correct bases is precisely the same as 
her optimal information about the incorrect ones (May- 
ers, 1998). Hence one can bound her information, as- 
suming she measures ' crj®* * *®^-^. Accordingly, c 
= 2""^, and Theorem 2 implies 

' I{a,€) + Iia,p)^2\og2{2''2^''^) = n, (74)' 

That is, the sum of Eve's and Bob's information per qu- 
bit is less than or equal to 1. This result is quite intuitive: 
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together, Eve and Bob cannot receive more information 
than is sent out by Alice! Next, combining the bound 
(74) with Theorem 1, one deduces that a secret key is 
achievable whenever I(a,fi)^n/2. Using /(a,/3) = rt[l 
-XHog2(I>)-(l-X^)log2(l-P)], one obtains the suffi- 
cient condition on the error rate V (i.e., the QBER): 

Dlog2(P)+(l -2?)log2(l-I>)^ i (75) 

This bound, QBER^11%, is precisely that obtained 
in Mayeis's proof (after improvement by Shor and 
Preskill, 2000). The above proof is, strictly speaking, 
only valid if the key is much longer than the number of 
qubits that Eve attacks coherently, so that the Shannon 
information we used represents averages over many in- 
dependent realizations of clzissical random variables. In 
other words, assuming that Eve can coherentiy attack a 
large but finite number no of qubits, Ahce and Bob can 
use the above proof to secure keys much longer than /iq 
bits. If one assumes that Eve has imlimited power and is 
able to attack coherently any number of qubits, then the 
above proof does not apply, but Mayers 's proof can still 
be used and provides precisely the same bound. 

This 11% bound for coherent attacks is clearly com- 
patible with the 15 % bound found for individual attacks. 
The 15% bound is also necessary, since an expUcit eaves- 
dropping strategy reaching this bound is presented in 
Sec. VI.E, It is not known what happens in the interme- 
diate range 11%<QBER<15%, but the following sce- 
nario is plausible. If Eve is limited to coherent attacks 
on a finite number of qubits, then in the Hmit of arbi- 
trarily long keys, she has a negligibly small probability 
that the bits combined by Alice and Bob during the er- 
ror correction and privacy amplification protocols origi- 
nate from qubits attacked coherently. Consequently, the 
15% bound would still be vaHd (partial results in favor 
of this conjecture can be found in Qrac and Gisin, 1997 
and Bechmann-Pasquinucd and Gisin, 1999). However, 
if Eve has unUmited power, in particular, if she can co- 
herently attack an unlimited number of qubits, then the 
11% bound might be required. 

To conclude this section, let us stress that the above 
security proof applies equally to the six-state protocol 
(Sec. ILD.2). It also extends in a straightforward 
fashion to protocols using larger alphabets (Bechmann- 
Pasquinucci and Peres, 2000; Bechmann-Pasquinucci 
and Tittel, 2000; Bourennane, Karlsson, and Bjorn, 2001; 
Bourennane, Karlsson, Bjorn, Gisin, and Cerf, 2001). 



H. Photon hgmber measurements and lossless channeis 

Ih Sec, m.A we saw that all real photon sources have 
a finite probabihty of emittting more than one photon. If 
all emittied photons encode the same qubit. Eye can take . 
advantage of this; In principle, she can first measure the 
number of photons in each pulse without disturbing the 
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de^ee of freedom encoding the qubits.^^ Such measure- 
ments are sometimes called quantum nondemolition 
measurements, because they do not perturb the qubit; in 
particular they do not destroy the photons. This is pos- 
sible because Eve knows in advance that Alice sends a 
mixture of states with well-defined photon numbers^ 
(see Sec. IIJF). Next, if Eve finds more than one photon, 
she keeps one and sends the other(s) to Bob. In order to 
prevent Bob from detecting a lower qubit rate. Eve must 
use a channel with lower losses. Using an ideally lossless 
quantum channel. Eve can even, under certain condi- 
tions, keep one photon and increase the probabihty that 
pulses witii more than one photon get to Bob! Finally, 
when Eve finds one photon, she may destroy it with 
some probabihty that she does not affect the total num- 
ber of qubits received by Bob. Consequently, if the prob- 
abihty that a nonempty pulse has more than one photon 
(on Ahce's side) is greater than the probabihty that a 
nonempty pulse is detected by Bob, then Eve can get 
full information without introducing any perturbation. 
This is possible only when the QC protocol is not per- 
fectly implemented, but it is a reahstic situation (Hutt- 
ner etoL, 1995; Yuen, 1997). 

Quantum nondemohtion atacks have recendy re- 
ceived a lot of attention (Brassard etai, 2000; Liitken- 
haus, 2000). The debate is not yet settied. We would like 
to argue that it might be unrealistic, or even unphysical, 
to assume that Eve can perform ideal quantum non- 
demohtion attacks. Indeed, she first needs the capacity 
to perform quantum nondemohtion photon-number 
measurements. Although impossible with today's tech- 
nology, this is a reasonable assumption (Nogues etaL, 
1999). Next, she should be able to keep her photon until 
Ahce and Bob reveal the basis. In principle, this could 
be achieved using a lossless channel in a loop. We dis- 
cuss this eventuality below. Another possibihty would be 
for Eve to map her photon to a quantum memory. This 
does not exist today but might well exist in the future. 
Note that the quantum memory should have essentiahy 
imlimited decoherence time, since Ahce and Bob could 
easily wait for minutes before revealing the bases.^* Fi- 
nally, Eve must access a lossless channel; or at least a 
channel with lower losses than that used by Ahce and 



^^For polarization coding, this is quite clear, but for phase 
coding one may think (incorrectly) that phase and photon 
number are incompatible. However, the phase used for encod- 
ing is a relative phase between two modes. Whether these 
modes are polarization modes or correspond to different times 
(determined, for example, by the relative length of interferom- 
eters), does not matter. 

^^Recall that a mixturjB of coherent states le'^a) with a 
random phase </>, as produced by lasers when no phase refer- 
ence is available, is equal to a mixture of photon number states 
\h) with Poisson statistics;'. •/o^^'^«)(^'^^l (^^^^tt) 
= 2„»o(M"/n!)e""1n)(/»t. where 

^^e quantum part of the proiocol could run continuously, 
storing large amounts of raw classical data, but the classical 
part of the protocol, which processes these raw data, could 
take place just seconds before the key is used. 
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Bob. This might be the trickiest point. Indeed, besides 
using a shorter channel, what can Eve do? Telecommu- 
nications fibers are already at the physical limits of what 
can be achieved (Thomas et al, 2000). The loss is ahnost 
entirely due to Rayleigh scattering, which is unavoid- 
able: solve the Schrodinger equation in a mediimi with 
inhomogeneities and you get scattering. When the inho- 
mogeneities are due to the molecular stucture of the 
medium, it is difficult to imagine lossless fibers. The 
0.18-dB/km attenuation in silica fibers at 1550 nm is a 
lower bound imposed by physics rather then 
technology.^^ Note that using air is not a viable solution, 
since attenuation at telecommunications wavelengths is 
rather high. Vacuum, the only way to avoid Rayleigh 
scattering, also has limitations, due to diffraction, again 
an unavoidable physical phenomenon. In the end, it 
seems that Eve has only two possibilities left. Either she 
uses teleportation (with extremely high success prob- 
ability and fidelity) or she converts the photons to an- 
other wavelength (without perturbing the qubit). Both 
of these "solutions" seem unrealistic in the foreseeable 
future. 

Consequently, when considering the type of attacks 
discussed in this section, it is essential to distinguish the 
ultimate proofs from the practical ones. Indeed, the as- 
sumptions about the defects of Alice and Bob's appara- 
tuses must be very specific and might thus be of limited 
interest, while for practical considerations these assump- 
tions must be very general and might thus be excessive. 



I. A realistic beamsplitter attack 

The attack presented in the previous section takes ad- 
vantage of pulses containing more than one photon. 
However, as discussed, it uses uiuealistic assumptions. In 
this section, following Dusek et al (2000) and Liitken- 
haus (2000), we briefly comment on a reaUstic attack 
that, also exploits multiphoton pukes (for details, see 
Felix et al, 2001, where this and other examples are pre- 
sented). Assume that Eve spUts all pulses in two, analyz- 
ing each half in one of the two bases, using photon 
counting devices able to distinguish between pulses with 
0, 1, and 2 photons (see Fig. 32). In practice this could be 
realized using many single-photon counters in parallel. 
This requires nearly perfect detectors, but at least one 
does not need to assume technology completely out of 
today's reahn. Whenever Eve detects two photons in the 
same output, she sends a photon in the corresponding 



Photonics crystal fibers have the potential to overcome the 
Rayleigh scattering limit. There are two kinds of such fibers. 
The first kind guides light by total internal reflection, as in 
ordinary fibers. In these fibers most of the light also propagates 
in silica, and thus the loss limit is similar. In the second kind, 
mbst of the light propagates in air. Thus the theoretical loss 
limit is lower. However, today the losses are extremely high, in 
the range of hundreds of dB/km. The best reported result that 
we are aware of is 11 dB/km, and it was obtained with the first 
kind of fiber (Canning a/., 2000), 
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FIG. 32. Realistic beamsplitter attack. Eve stops all pulses. 
The two photon pulses have a 50% probability of being ana- 
lyzed by the same analyzer. If this analyzer is compatible with 
the state prepared by Alice, then both photons are detected 
with the same outcome; if not, there is a 50% chance that they 
are detected with the same outcome. Hence there is a prob- 
ability of I that Eve detects both photons with the same out- 
come. In such a case, and only in such a case, she resends a 
photon to Bob. In f of these cases she introduces no errors, 
since she has identified the correct state and gets full informa- 
tion; in the remaining cases she has a 50% probability of in- 
troducing an error and gains no mformation. The total QBER 
is thus 5, and Eve% information gain is f . 

state into Bob's apparatus. Since Eve's information is 
classical, she can overcome all the losses of the quantum 
channel. In all other cases, Eve sends nothing to Bob. In 
this way, Eve sends a fraction (|) of the pulses contain- 
ing at least two photons to Bob. She introduces a QBER 
of I and gets information /(^,£:) = 1=4- QBER. Bob 
does not see any reduction in the number of detected 
photons, provided that the transmission coefficient of 
the quantum channel t satisfies 

f=s^Prob(n^2|n^l)-^, (76) 

where the last expression assumes Poissonian photon 
distribution. Accordingly, for a fixed QBER, this attack 
provides Eve with twice the information she would get 
from using the intercept-resend strategy. To counter 
such an attack, Alice should use a mean photon number 
/i such that Eve can use this attack on only a fraction of 
the pulses. For example, Alice could use pulses weak 
enough that Eve's mean information gain Is identical to 
what she would obtain with the simple intercept-resend 
strategy (see Sec. II.C3). For 10-, 14-, and 20-dB attenu- 
ation, this corresponds to 0.25, 0.1, and 0.025, respec- 
tively. 

J. Multiphoton pulses and passive choice of states 

Multiphoton pulses do not necessarily constitute a 
threat to key security, but they Umit the key creation 
rate because they inaply that naore bits must be dis- 
carded during key distillation. This fact is based on the 
assumption that all photons in a pulse carry the same, 
qubit, so that Eve does not need to copy the qubit going 
to Bob, but merely keeps the copy that Alice inadvert- 
ently provides. When using weak pulses, it seems un- 
avoidable that all the photons in a pulse carry the same 
qubit. However, in two-photoh implementations, each 
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photon on Alice's side independently chooses a state [in 
the experiments of Ribordy et oL (2001) and Tittel et oL 
(2O00), each photon randomly chooses both its basis and 
its bit value; in the experiments of Naik et al (2000) and 
. Jennewein, Simon, et al (2000), only the bit value choice . 
is random]. Hence, when two photon pairs are simulta- 
neously produced, the two twins carry independent qu- 
bits by accident. Consequently, Eve cannot take advan- 
tage of such multiphoton twin pulses. This might be one 
of the main advantages of two-photon schemes over the 
much simpler weak-pulse schemes. But the multiphoton 
problem is then on Bob's side, which gets a noisy signal, 
consisting partly of photons not m AUce's state. 

K. IVojan horse attacks 

All eavesdropping strategies discussed up to this point 
have consisted of Eve's attempt to get a maximum infor- 
mation from the qubits exchanged by Ahce and Bob. 
However, Eve can also pursue a completely different 
strategy: she can herself send signals that enter Ahce 
and Bob's offices through the quantum channel. This 
kind of strategy is called a Trojan horse attack. For ex- 
ample, Eve can send light pulses into the fiber entering 
Alice's or Bob's apparatus and analyze the backreflected 
light. In this way, it is in principle possible to detect 
which laser just flashed, which detector just fired, or the 
settings of phase and polarization modulators. This can- 
not be prevented by simply using a shutter, since Alice 
and Bob must leave the "door open" for the photons to 
exit and enter, respectively. 

In most QC setups the amount of backreflected light 
can be made very small, and sensing the apparatus with 
hght pulses through the quantum channel is difficult. 
Nevertheless, this attack is especially threatening in the 
plug-and-play scheme on Alice's side (Sec. IV.C.2), since 
a mirror is used to send the hght pulses back to Bob. 
Thus, in principle, Eve can send strong light pulses to 
Alice and sense the apphed phase shift. However, by 
applying the phase shift only during a short time At^\^^^ 
(a few nanoseconds), Ahce can oblige Eve to send the 
spying pulse at the same time as Bob. Remember that in 
the plug-and-play scheme, pulses coming from Bob are 
macroscopic and an attenuator at Alice's end reduces 
them to below the one-photon level, say, 0,1 photons per 
pulse. Hence, if Eve wants to get, say, one photon per 
pulse, she has to send ten times Bob's pulse energy. 
Since Alice is detecting Bob's pulses for triggering her 
apparatus, she must be able to detect an increase in en- 
ergy of these pulses in order to reveal the presence of a 
spying pulse. This is a relatively easy task, provided that 
Eve's pulses look the same as Bob's. However, Eve could 
of course use another wavelength or ultrashort pulses 
(or very long pulses with low intensity, hence the impor- 
tance of A fpTifljc); therefore Ahce must introduce an op- 
tical bandpass filter with a transmission spectrum corre- 
spondiujg to the sensitivity spectrum of her detector and 
choose a Atpi^^^^ thsit fits the bandwidth of her detector. . 

There is no doubt that Trojan horse attacks can be 
prevented by technical measures. However, the fact that 
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this class of attacks exists illustrates that the security of 
QC can never be guaranteed by the principles of 
quantum mechanics only, but must necessarily rely on 
technical measures that are subject to discussion.^ 



L Real security: Technology, cost, and complexity 

Despite the elegance and generaUty of security proofs, 
the ideal of a QC system whose security reUes entirely 
on quantum principles is unrealistic. The technological 
implementation of abstract principles will always be 
questionable. It is likely that tiiey \W11 remain the weak- 
est point in all systems. Moreover, one should remember 
the obvious relation: 

Infinite security=> Infinite cost 

=»Zero practical interest. (77) 

On the other hand, however, one should not underes- 
timate the following two advantages of QC. Fkst, it is 
much easier to forecast progress in technology than in 
mathematics: the danger that QC will break down over- 
night is neghgible, in contrast to pubUc-key cryptosys- 
tems. Next, the security of QC depends on the techno- 
logical level of the adversary at the time of the key 
exchange, in contrast to complexity-based systems whose 
coded message can be registered and broicen thanks to 
future progress. The latter point is relevant for secrets 
whose value lasts many years. 

One often pomts to low bit rate as one of the current 
hmitations of QC. However, it is important to stress that 
QC need not be used in conjunction with one-time-pad 
encryption. It can also be used to provide a key for a 
symmetrical cipher such as AES, whose security is 
greatly enhanced by frequent key changes. 

To conclude this section, let us briefly elaborate on the 
differences and similarities between technological and 
mathematical complexity and on their possible connec- 
tions and implications. Mathematical complexity means 
that the number of steps needed to run complex algo- 
rithms increases exponentially as the size" of the input 
grows linearly. Similarly, one can define the technologi- 
cal complexity of a quantum computer as an exponen- 
tially increasing difficulty to process coherentiy all the 
qubits necessary to run a (noncomplex) algorithm on a 
linearly growing number of input data. It might be inter- 
esting to consider the possibility that the relationship 
between these two concepts of complexity is deeper. It 
could be that the solution of a problem requires either a 
complex classical algorithm or a quantum algorithm that 
itself requires a complex quantum computer.^^ 



^Another technological loophole, recently pointed out by 
Kurtsiefer et al (2001), is the possible information leakage 
caused by Hght emitted by APD's during their breakdown. 

^^Penrose (1994) pushes these speculations even further, sug- 
gesting that spontaneous collapses stop quantum computers 
whenever they try to compute beyond a certain complexity. 
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VII. CONCLUSIONS 

Quantum cryptography is a fascinating illustration of 
the dialog between basic and ^plied physics. It is based 
on a beautiful combination of concepts from quantum 
physics and information theory and made possible by 
the tremendous progress in quantum optics and the 
technology of optical fibers and free-space optical com- 
munication. Its security principle rehes on deep theo* 
rems m classical information theory and on a profound 
understanding of Heisenberg's uncertainty principle, as 
illustrated by Theorems 1 and 2 in Sec. VI.G (the only 
mathematically involved theorems in this review). Let us 
also emphasize the important contributions of QC to 
classical cryptography: privacy amplification and classi- 
cal bound information (Sees. n.C.4 and ILC.5) are ex- 
amples of concepts in classical mformation whose dis- 
covery were much inspired by QC. Moreover, the 
fascinating tension between quantum physics and rela- 
tivity, as illustrated by Bell's inequality, is not far away, 
as discussed in Sec. VI.F. Now, despite significant 
progress in recent years, many open questions and tech- 
nological challenges remain. 

One technological challenge at present concerns im- 
proved detectors compatible with telecommunications 
fibers. Two other issues concern free-space QC and 
quantum repeaters. The former is currendy the only way 
to realize QC over thousands of kilometers using the 
technology of the near future (see Sec. IV.E). The idea 
of quantum repeaters (Sec. III.E) is to encode the qubits 
in such a way that if the error rate is low, then errors can 
be detected and corrected entirely in the quantum do- 
main. The hope is that such techniques could extend the 
range of quantum communication to essentially unlim- 
ited distances. Indeed, Hans Briegel, then at the Univer- 
sity of Innsbruck, and co-workers (1998) showed that 
the number of additional qubits needed for quantum re- 
peaters can be made smaller than the numbers of qubits 
needed to improve the fidehty of the quantum channel 
(Dur et al, 1999). One could thus overcome the deco- 
herence problem. However, the main practical Umitation 
is not decoherence but loss (most photons never get to 
Bob, but those that do get there exhibit high fidelity). 

As for open questions, let us emphasize three main 
concerns. First, complete and reaUstic analyses of the 
security issues are still missing. Next, figures of merit for 
comparing QC schemes based on different quantum sys- 
tems (with different dimensions, for example) are still 
awaited. Finally, the delicate question of how to test the 
apparatuses has not yet received enough attention. In- 
deed, a potential customer of quantum cryptography 
buys confidence and secrecy, two quaUties hard to quan- 
tify. Interestingly, both of these issues are connected to 
Bell's inequality (see Sees. VI.F and VI.B). Qearly, this 
connection cannot be phrased in the old context of local 
hidden variables, but rather in the context of the secu- 
rity of tomorrow's communications. Here, as in the en- 
tire field of quantum information, old concepts are re- 
newed by looking at them from a fresh perspective: let 
us exploit quantum weirdness. 
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QC could well be the first appUcation of quantum me- 
chanics at the single-quantum level. Experiments have 
demonstrated that keys can be exchanged over distances 
of a few tens of kilometers at rates on the order of at 
least a thousand bits per second There is no doubt that 
the technology can be mastered and the question is not 
whether QC will find commercial apphcations, but 
when. At present QC is still very limited in distance and 
in secret bit rate. Moreover, pubUc-key systems domi- 
nate the market and, being pure software, are tremen- 
dously easier to manage. Every so often, we hear in the 
news that some classical cryptosystem has been broken. 
This would be impossible with properly implemented 
QC. But this apparent strength of QC might turn out to 
be its weak point: security agencies would be equally 
unable to break quantum cryptograms! 
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